Microsoft Issues Record Number of Security Updates
Posted: under Internet Explorer, Microsoft, Security Bulletins.
Tags: Microsoft, Security, updates, windows
Microsoft Corp. issued a record-breaking number of software security updates today, shipping patches that plug at least 31 different security flaws in its Windows operating systems and other software.
More than half of the security holes Microsoft plugged with June’s patch batch earned a “critical,” severity rating, meaning Redmond believes attackers could exploit the flaws to break into vulnerable systems without any help from the victims. What’s more, Microsoft is warning that it expects to see publicly available reliable exploit code for most of the vulnerabilities it has issued patches for today.
According to Symantec Corp., this is the largest number of vulnerabilities Microsoft has ever addressed in a single patch release (the previous record was set in Dec. 2008, when Microsoft issued 28 security updates in one go).
Probably the most important of today’s updates is a critical patch that addresses at least eight security holes in various versions of Microsoft’s Internet Explorer Web browser, including IE8. In fact, one of the flaws patched in IE8 was first demonstrated at a hacking competition in Canada in March. Microsoft says that particular flaw does not affect the Windows 7 release candidate (RC), but does affect Windows 7 Beta. The IE 8 updates for the Windows 7 Beta are available here.
“These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities,” said Ben Greenbaum, senior research manager for Symantec Security Response, of the IE flaws.
Another update patches two security holes in Microsoft’s Internet Information Services (IIS) Web server software. Andrew Storms, director of security operations for vulnerability management company nCircle, notes that instructions explaining how to exploit one of those IIS flaws already is available online.
“Anyone running IIS that isn’t using the available mitigation steps should jump on this one right away because there are exploits in the wild, and an exploited server can allow attackers to gain unauthorized access to protected resources on your Web site,” Storms said.
Microsoft also released an update that plugs at least seven holes in Microsoft Office Excel. These vulnerabilities are most serious on Office 2000 installations, but those users can’t get these updates from Windows Update.
Last month, Microsoft shipped a single patch to plug some 16 security holes in various versions of its Powerpoint software. The company said at the time that it was still working on fixing those flaws in the Powerpoint versions in Office for Mac and Microsoft Works. Today, Microsoft addressed those Mac and Works vulnerabilities in a separate Powerpoint patch rollup.
Comments (0)
Jun 11 2009
