[ISN] July to be another big patch month for Microsoft

InfoSec News isn at c4i.org
Fri Jul 7 05:30:37 EDT 2006


By Robert McMillan
IDG News Service

With online attackers taking advantage of holes in its Office
software, Microsoft plans to release seven software patches next week.

Four of the updates will fix bugs in Windows, while another three will
address flaws in Microsoft Office, Microsoft said Thursday in a
bulletin on its Web site. Both sets of patches will address critical
flaws, which attackers could exploit to run unauthorized code on a PC
without any user action.

The patches will be released on July 11 as part of Microsoft's
regularly scheduled monthly security updates. Microsoft's advance note
on the updates can be found here.

The new software will likely fix a number of publicly reported
vulnerabilities in Office, some of which concern Excel, said Gunter
Ollmann, director of Internet Security Systems' X-Force threat
analysis service.

Last month, Microsoft confirmed that it was investigating three issues
that relate to Office, following reports that hackers had launched a
targeted attack, against an unnamed government contractor, that took
advantage of a bug in its Excel spreadsheet software.

Two of the bugs could be used to compromise a PC, but they would first
require user action like opening a malicious document and clicking on
hyperlinks. The third appears to be less critical, but it could be
used to run an unauthorized ActiveX control, Microsoft said.

On Thursday another bug was added to the mix with security vendor
Secunia warning of a flaw affecting Asian language versions of Excel.  
As with the other bugs, victims would need to be tricked into doing a
little work before compromising their systems, but if this were to
happen, attackers could run their malicious software on the PC,
Secunia said.

More details on this latest flaw can be found here.

The seven patches may keep system administrators busy next week, but
not as busy as they were in June. Last month Microsoft released 12
security updates.

The IDG News Service is a Network World affiliate.

More information about the ISN mailing list