Establishing Digital Trust: Don't Sacrifice Security for Convenience
As the dog days of summer arrive in Seattle, Microsoft is preparing to issue four security bulletins next Tuesday -- three of them rated "critical," Microsoft's highest ranking.
The good news is there are only four patches, and that two of them fix outstanding zero-day vulnerabilities for which users and administrators have been waiting.
Microsoft (NASDAQ: MSFT) typically gives IT administrators advance notice the week before each of its monthly Patch Tuesday roundup of bug fixes. However, because it doesn't want to alert nefarious hackers to security vulnerabilities before Patch Tuesday, the company's advance notices usually gives only slim details.
Coming next Tuesday are patches for critical flaws in both 32-bit and 64-bit versions of Windows XP with Service Pack 2 (SP2) and SP3, in 64-bit versions of Windows 7, and in Windows Server 2008 Release 2 (R2) for x64 systems. However, editions of Windows Server 2008 R2 that were deployed using the so-called "server core" installation option are not at risk, Microsoft's security team said in its advance notice.
Also impacted in the critical bulletins is Windows Embedded Standard 7 for x64 systems. That version is designed for use in embedded applications, such as point-of-sale terminals. Windows Embedded Standard 7 was released to embedded system makers in late April.
Additionally, Microsoft will release a security patch for a critical hole in its Access personal database, which ships with some versions of Microsoft Office. In this case, the patch fixes a flaw in Access for Office 2003 SP3 and Office 2007 SP1 and SP2.
The company is also going to release a patch for a fourth vulnerability that occurs in Microsoft Office Outlook 2002 SP3, Outlook 2003 SP3, and in Outlook 2007 SP1 and SP2. However, that flaw is only rated as "important" -- the second-highest in Microsoft's four-tiered severity ranking scale.
Last month, Microsoft also fixed three critical vulnerabilities. However, in the June patch drop overall, Microsoft released a total of ten patches that fixed some 34 security problems -- near the company's all-time record for fixing security vulnerabilities.
This time around, Microsoft is releasing fixes for two recent zero-day vulnerabilities. One of them, a security hole in the way Windows XP's Help and Support Center functions -- and which was publicly revealed by a Google security researcher in early June -- has already resulted in more than 10,000 attacks in the wild by the end of the month, according to Microsoft.
The other zero-day that Microsoft will fix next week is a vulnerability in a screen display driver in 64-bit versions of Windows Server 2008 R2 that surfaced in mid-May. Unlike the XP Help and Support Center flaw, though, no attacks using that vulnerability have yet been reported.
"The good news is that with the release of these four bulletins next week, Microsoft will take care of the two recent security advisories," Don Leatham, senior director of solutions and strategy at security researcher Lumension, said in an e-mail to InternetNews.com.
As expected, however, Microsoft will not address another zero-day vulnerability that had been publicly revealed earlier this week by an anonymous group of hackers who said they were retaliating against Microsoft's recent criticism of third-party security researchers. Microsoft and other software companies often criticize third-party and independent security researchers for not giving them enough time to formulate a patch before releasing exploit code for newly discovered security flaws.
Nor will Microsoft fix a security hole in its Microsoft Foundation Classes -- an important set of libraries for developers -- that it warned users and system administrators about on Tuesday.