By Sharon Gaudin
June 7, 2007
Gearing up for next week's Patch Tuesday release, Microsoft announced on
Thursday that it's preparing six security updates -- four of them for
One security update actually can patch multiple vulnerabilities so it's
unclear at this point how many flaws next week's releases will fix.
Microsoft, though, did announce in its Security Bulletin Advance
Notification that each of the four critical updates will affect Windows
software, while only one affects Internet Explorer. Another one will
address issues in Outlook Express, as well as Windows Mail.
One critical vulnerability affects Windows Mail in Windows Vista and
Windows Vista x64 edition. There another patch for Windows Vista that's
All of the critical bugs being fixed enable remote code execution,
meaning that a remote hacker could take over an infected system.
The one security bulletin that received Microsoft's second-highest
threat rating of "important" affects the Office application suite, as
well as Microsoft Visio, which is diagramming software. The flaw being
fixed also enables remote code execution. It's not yet clear why this is
not a critical flaw, as nearly all remote code execution vulnerabilities
are rated that way.
The 'moderate' security bulletin affects a bug in Windows that causes
Johannes Ullrich, CTO for the Internet Storm Center, a cooperative cyber
threat-monitoring and alert system, said this seems like an average size
patch release for Microsoft -- slightly less than last month when
Microsoft released seven bulletins in its monthly patch release. He is
hoping, though, that several of the outstanding Internet Explorer flaws
are fixed in the June 12 release.
"There are about six publicly known IE bugs out there," he added in an
interview. "Typically, Microsoft issues patches that fix multiple bugs.
Last month, four vulnerabilities were fixed with one IE patch. That
would be good."
Ullrich also is hoping that Microsoft patches several outstanding Office
vulnerabilities. "It's definitely one of the issues that keeps bugging
users," he said. "We haven't seen any of them widely used yet. They're
being used in smaller, targeted attacks."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com