Microsoft Issues Massive Patch Update

By Dave Nixon

Microsoft has released 11 security updates fixing vital flaws in its products, together with a publicly recognized ActiveX bug that affects users of the Visual FoxPro database.

Overall, 17 separate software defects were patched in the updates. Microsoft rates six updates as critical, denoting they ought to be installed immediately, while the outstanding five updates are considered “important.” Last month was an less painless month on IT administrators, when Microsoft released just two updates.

Microsoft astonished some by releasing one less update than anticipated. Last Thursday the software vendor had said that it was preparing a fix for critical VBScript and JScript flaws in Windows 2000, XP, and Windows Server 2003. That update wasn’t incorporated in this week’s patches, but on Tuesday Microsoft wouldn’t corroborate that it had in fact droped the update as “this could put customers at risk,” according to a spokeswoman for the company’s public relations agency.

Security experts said on Tuesday that the MS08-010 update, which fixes four flaws in Internet Explorer, should take precedence this week. “There are four vulnerabilities within that particular patch and all of them are remote-code executable,” said Jonathan Bitle, director of technical account management with Qualys.

“The way we’re looking at it, our prioritisation would put MS08-010 at the top followed by MS08-007,” said Don Leatham, director of solutions and strategy with Lumension Security.

MS08-010 fixes a openly known ActiveX bug affecting Visual FoxPro users. Even though hackers have already published code illustrating methods to take advantage of this vulnerability, the flawed ActiveX control is not incorporated in Internet Explorer 7’s default list of controls, consequently the flaw should not affect the majorityof users.

The MS08-007 update fixes a critical flaw in the Windows XP and Vista WebDAV redirector software. WebDAV is a Web-based document sharing protocol. The flaw is rated significant for Windows Server 2003 users.

Additionally Microsoft’s Office products are a chief foundation of patches this month.

Tuesday’s updates consist of critical fixes for Microsoft Word, Office Publisher and in Office itself.

There additionally a critical update for Windows’ Object Linking and Embedding (OLE) Automation software.

The outstanding updates, rated important, are for Active Directory, the Vista TCP/IP stack, the Microsoft Works file converter and two flaws in the Internet Information Services (IIS) Web server.

The Patch Tuesday updates demonstrate that client-side bugs are persistently a higher risk than server-side vulnerabilities, said Andrew Storms, director of security operations with nCircle.

“One would have assumed that the IIS and Active Directory vulnerabilities would have been the most serious because they stand at the core of an enterprise and provide more critical services” he said via instant message. “But with this month’s patches, the hacker’s best bet is to take advantage of the client-side attacks.”