Microsoft today issued four updates to fix at least a dozen security vulnerabilities in its Office software products. All of the updates earned Microsoft's "critical" label, meaning attackers could exploit the flaws to break into Windows systems with little or no help from users.
Included in today's Patch Tuesday roundup are fixes for just about every Office suite or stand-alone product that Microsoft currently supports -- going back to Office 2000 and including Office for Mac software and various Office Viewer components.
One of the updates, which mends at least seven flaws in different Office titles, patches a security hole that hackers were exploiting as early as last week, according to reports from US-CERT and the SANS Internet Storm Center.
Interestingly, that patch and one other address security holes found in Office 2007, a product that underwent rigorous code review in an attempt to minimize the kinds of security weaknesses that were found to be pervasive in older versions of Office.
Office users can grab the latest patches from Microsoft Update. Office 2000 users, however, can only obtain them from Microsoft's Office Update. Office 2000 users may also need to have their Office installation CD handy in order to install these updates. [...]
Read more ...
Brian Krebs on Computer Security. The Washington Post Company.
Showing posts with label Patch. Show all posts
Showing posts with label Patch. Show all posts
Wednesday, March 12, 2008
Wednesday, September 12, 2007
Microsoft serves light fare on Patch Tuesday
No critical patches for most Windows users
By Dan Goodin in San Francisco → More by this author
Published Tuesday 11th September 2007 22:00 GMTFind your perfect job - click here from thousands of tech vacancies
Microsoft served comparatively modest fare for its monthly patch release on Tuesday, issuing only four security-related updates, only one of which carried its top severity rating of critical. It plugged a hole in a Windows 2000 component, while the other updates fixed vulnerabilities rated as important in instant messenger programs, Visual Studio .Net and Windows services for
Unix found on several different versions of the Windows operating system.
In a rare event, the typical Windows user is likely to have just one patch to install. It addresses a vulnerability in the MSN Instant Messenger and Windows Live Messenger that could allow an attacker to take over a machine by tricking a victim into clicking on a specially crafted chat request. Despite MSN Messenger being installed on every copy of Windows, Microsoft rated the flaw important, presumably because it can't be exploited without the user taking action first.
Some users may have no patches to install, as was the case with this reporter. That's because the vulnerability doesn't affect Windows Live Messenger version 8.1, which was installed on the machine. A spokeswoman says other versions of Windows Live Messenger don't use Windows Update to install new updates. Instead, the client prompts the user to install a new version, she said. Windows Update still encouraged us to run Windows Malicious Software Removal Tool, as it does every month.
The rest of the updates apply to more technically inclined users. The most serious is the patch for a Windows 2000 component known as Microsoft Agent, which fixes a critical vulnerability that could allow an attacker to remotely execute code of his choosing. A third flaw affecting Visual Studio could also allow a remote execution, but only if a user opens a specially crafted RPT file. The last vulnerability, which affects Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications, could allow an attacker to elevate privileges.
A fifth patch that had been planned for today was pulled for reasons that are not entirely clear. It was to address a vulnerability in SharePoint and had a severity rating of important. "Once Microsoft has developed and tested a security update that meets its quality bar for release, it will release the final update for this affected product along with a bulletin as part of Microsoft’s regularly scheduled process," a company spokeswoman said. You might say this month's Patch Tuesday was a small snack. By comparison, August's release required users to gorge on nine patches, six of which were rated critical. Internet phone provider Skype said the binge triggered a system-wide outage that lasted several days. The explanation left many of us scratching our heads because Patch Tuesday has been a regular fixture for several years now, and it was unclear why the update bundle only recently wreaked havoc. [...]
Read more ...
The Register. Security.
By Dan Goodin in San Francisco → More by this author
Published Tuesday 11th September 2007 22:00 GMTFind your perfect job - click here from thousands of tech vacancies
Microsoft served comparatively modest fare for its monthly patch release on Tuesday, issuing only four security-related updates, only one of which carried its top severity rating of critical. It plugged a hole in a Windows 2000 component, while the other updates fixed vulnerabilities rated as important in instant messenger programs, Visual Studio .Net and Windows services for
Unix found on several different versions of the Windows operating system.
In a rare event, the typical Windows user is likely to have just one patch to install. It addresses a vulnerability in the MSN Instant Messenger and Windows Live Messenger that could allow an attacker to take over a machine by tricking a victim into clicking on a specially crafted chat request. Despite MSN Messenger being installed on every copy of Windows, Microsoft rated the flaw important, presumably because it can't be exploited without the user taking action first.
Some users may have no patches to install, as was the case with this reporter. That's because the vulnerability doesn't affect Windows Live Messenger version 8.1, which was installed on the machine. A spokeswoman says other versions of Windows Live Messenger don't use Windows Update to install new updates. Instead, the client prompts the user to install a new version, she said. Windows Update still encouraged us to run Windows Malicious Software Removal Tool, as it does every month.
The rest of the updates apply to more technically inclined users. The most serious is the patch for a Windows 2000 component known as Microsoft Agent, which fixes a critical vulnerability that could allow an attacker to remotely execute code of his choosing. A third flaw affecting Visual Studio could also allow a remote execution, but only if a user opens a specially crafted RPT file. The last vulnerability, which affects Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications, could allow an attacker to elevate privileges.
A fifth patch that had been planned for today was pulled for reasons that are not entirely clear. It was to address a vulnerability in SharePoint and had a severity rating of important. "Once Microsoft has developed and tested a security update that meets its quality bar for release, it will release the final update for this affected product along with a bulletin as part of Microsoft’s regularly scheduled process," a company spokeswoman said. You might say this month's Patch Tuesday was a small snack. By comparison, August's release required users to gorge on nine patches, six of which were rated critical. Internet phone provider Skype said the binge triggered a system-wide outage that lasted several days. The explanation left many of us scratching our heads because Patch Tuesday has been a regular fixture for several years now, and it was unclear why the update bundle only recently wreaked havoc. [...]
Read more ...
The Register. Security.
Subscribe to:
Posts (Atom)
![[JP]Sec.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1_Dlt05VoNBIQafKr71lfK_Ky9zS4ZJrSX6VQE4EKkPrVayGvndXAEBKL-fA0Yyl98dxhuuz3mrdE1rndlj-rxyFi4eczg8VxefLBUY3KkGkWjGWZFqBi28ahTxwEft9bmEVvHdtZbJo/s1600/MSNLogo.png)
