Microsoft promises 12 patches next week

Plans to fix Access bug being exploited, may patch IE flaw involved with Safari 'carpet bomb'

Microsoft Thursday said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista.

Of the 12 updates it sketched out in the advance notification issued Thursday morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.

"We almost have a baker's dozen," said Andrew Storms, director of security operations at nCircle Network Security. "What struck me was the complete depth of Microsoft software that the updates will touch this month."

As is its practice, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the bugs.

Four of the seven critical updates will patch Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.

The other critical updates will fix unspecified flaws in Windows, IE and Media Player 11, the edition included with Windows Vista.

Microsoft acknowledged that each of the seven critical updates would fix flaws that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack PCs.

At least one of the vulnerabilities has already been exploited by hackers. A flaw in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, generated a security advisory a month ago Thursday, when the company warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their computers.

A week later, Symantec researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks.

Storms speculated that the critical IE patch was also required to plug the ActiveX hole. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX bug.

Microsoft may also be patching IE to quash a bug first reported in 2006, but which returned to the limelight in May when security researcher Aviv Raff claimed that it could be combined with a flaw in Apple's Safari. At the end of that month, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix the flaw.

Of the five bulletins tagged important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word. Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair.

The dozen patches should keep IT administrators busy, but the work will be different, and possibly less stressful, than last month, said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news the last month.

"It will be a different kind of work this month," he said. "The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when an Exchange server could have gone down after patching."

The 12 security updates will be posted on August 12.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?