Microsoft patches

Microsoft issues massive security updates

Judi Hasson — Wed, 13 Aug 2008 16:54:52 -0400

Microsoft has released patches for 26 vulnerabilities in Windows, Office, Internet Explorer, Windows Messenger and other software. It is the largest update in 18 months and includes 11 bulletins, with six described as "critical." Of the 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word.

The Snapshot Viewer and Word vulnerabilities have been exploited by attackers. Andrew Storms, director of security operations at security vendor nCircle Network Security, told Computerworld that there were two major themes in the massive update. "There's a lot of file-parsing vulnerabilities here," he said, "and a ton of replacement bulletins."

For details on the Microsoft updates:
- check out this Computerworld.com article

Patch Tuesday in June sees fixes for three critical flaws

Paul Mah — Fri, 06 Jun 2008 04:57:25 -0400

Microsoft will be issuing a total of seven security bulletins on the upcoming Patch Tuesday release on June 10. Three of these patches are considered critical, and will patch Windows components relating to Bluetooth and DirectX, as well as Internet Explorer. The other three bulletins are marked as "important" with the seventh one, marked as "moderate," being the most intriguing.

Instead of replacing any files, the update merely sets a "kill bit." A kill bit is a Microsoft-coined term to denote a flag in the Windows registry used for the sole purpose of disabling specific ActiveX controls. Speculation is that the fix involves a third party component, since Microsoft could have simply described it as an "ActiveX" issue if it is a Microsoft-built component.

For more on Microsoft's Patch Tuesday:
- check out this ChannelWeb article

April Patch Tuesday cometh

Mehan Jayasuriya — Thu, 03 Apr 2008 16:18:44 -0400

Another month, another Microsoft Patch Tuesday. What's in store for us this month? Well, it looks like we'll be seeing eight patches total, five of which will be labeled as "critical". The critical updates will address code execution vulnerabilites in both Windows and Internet Explorer. Affected versions are as follows: Windows Vista, Windows XP, and Windows 2000, Windows Server 2003, Windows Server 2008 and all versions of Internet Explorer. In addition to the critical fixes, the company will patch two "important" vulnerabilites relating to spoofing and unauthorized user privilege elevation attacks in Microsoft Office. More on the patches next week.

For more on the coming patches:
- see this Information Week story

Get ready for February Patch Tuesday

Fri, 08 Feb 2008 06:59:57 -0500

It's that time of the month again: time for Microsoft's monthly Patch Tuesday. This coming Tuesday will bring a total of 12 security bulletins, seven of which are rated "Critical," with the other five labeled "Important." Out of the 12, a whopping nine bulletins are said to address remote code execution vulnerabilities. While most of this bulletins affect Windows and Office, versions of Visual Basic, VBScript, JScript, Internet Explorer, Active Directory, ADAM, IIS and Works are also included among the list of applications set to be patched. IT managers and CIOs, make sure that your IT department is ready.

For more on February Patch Tuesday:
- see this Ars Technica article

ALSO NOTED: Six Microsoft patches coming next week; Even simple malware incidents are still pretty dangerous; and much more...

Sun, 12 Nov 2006 19:01:33 -0500

> Six Microsoft patches coming next week. Article

> Even simple malware incidents are still pretty dangerous. Article

> IBM marketing goes right for HP's sales jugular--its customers. Article

> Why it's a good time to make sure your staff is happy. Article

> Motorola acquisition revs up its goal to dethrone the BlackBerry. Article

> Gates expounds on what's causing the tech labor shortage. Article

> The politics of pulling in virtualization technologies. Article

And Finally... The best sites for getting a jump on tech toy shopping. Article

ALSO NOTED: Oracle enhances its patching approach; "True" broadband wireless not a reality, yet; and much more...

Wed, 11 Oct 2006 20:01:33 -0400

> Oracle enhances its patching approach. Article

> "True" broadband wireless not a reality, yet. Article

> Microsoft patch glitch fixed. Article

> Mexico nixes Yahoo's laser beam time capsule plans. Article

And Finally... The dawn of virtual parenting. Article

No fix for new IE bug

Sun, 17 Sep 2006 20:01:39 -0400

A full week hasn't even passed since this month's Microsoft Patch Tuesday and already there's a new bug on the prowl. The vulnerability impacts Internet Explorer--crashing the popular browser through a flaw in the ActiveX control. As of late last week the company said it may end up doing an out-of-cycle fix instead of waiting until next month's patch release.

For more on the IE vulnerability:
- read this article at TechWeb

Editor's Corner

Thu, 17 Aug 2006 20:01:40 -0400

Aside from the constant release of new Microsoft patches, one topic I find myself writing about frequently these past few months is the increasing number of laptop thefts and data robberies, both in the pubic and private sector. And according to a new study, this newsletter could be chock-full of such news, as 81 percent of US firms have admitted that they've lost confidential data at one point--due a missing or stolen laptop. The survey, conducted by Ponemon Institute and Vontu, calls the issue "pervasive." I'd call it astounding. What's even more frightening is that oftentimes, no one can even account for exactly what data is stored on a device that has gone missing. Check out these statistics and tell me they don't scare you a bit too: 64 percent of those polled have never conducted an inventory of either sensitive consumer data or employee data. And as a news item in this issue notes, data stored on those handy USB flash drives isn't too secure either. Over 53 percent admit they wouldn't be able to determine what sensitive data was actually housed on those devices. Yikes. I don't think there's any better time than the present to get laptop security policies in place and inventory efforts into action.- Judy

ALSO NOTED: New Microsoft patch coming to fix IE crash issue; Liberty Alliance group focused on e-government identity efforts;

Wed, 16 Aug 2006 20:01:33 -0400

> New Microsoft patch coming to fix IE crash issue. Article

> Liberty Alliance group focused on e-government identity efforts. Article

> Why opening up Java code isn't a huge thing for developers. Article

> Demand for business-smart IT folks just keeps increasing. Article

> xMax VoIP service promises to cost less, use less power. Article

And Finally... Why AOL is going digging for gold. Article

Feds urge Windows patching

Wed, 09 Aug 2006 20:01:39 -0400

The latest batch of Microsoft patches has caught the attention of Department of Homeland Security folks, who have issued a strong advisory about how one of the Windows vulnerabilities could put the country's infrastructure at risk. It's asking all IT organizations get the patch for the Windows Server vulnerability as soon as possible as it's already become a tool for hackers. Federal officials say the flaw could impact both private and government systems and a worm let loose through the security hole could have serious repercussions.

For more on the federal Windows security advice:
- get more at InfoWorld