Microsoft security update biggest in five years
Last month we noted that Microsoft’s ‘Patch Tuesday’ update was surprisingly quiet with just one critical issue fixed. The phrase ‘calm before the storm’ comes to mind with this month’s update containing fixes for 23 critical bugs, the highest figure since 2003.
The fixes come in eight groups, six of which contain critical-rated issues. Arguably the two most serious affect Internet Explorer and Microsoft Word, with both also getting the top ratings on the exploitability index (which measures how likely it is hackers will target the loopholes).
Both bugs, which are activated by infected web pages and Word or rich text format documents respectively, allow remote code execution, effectively handing over control of an operating system to a hacker.
The other critical issues involve the Graphics Device Interface (the main graphical component of Windows), Windows Search, Excel and Visual Basic 6.0 Runtime, which affects Windows users visiting pages with Active X content.
The GDI bug, while rated less likely to be exploited, may be the most embarrassing fix of the update. Microsoft issued fixes for very similar problems in April and September, both of which involved infected Windows Metafiles (the files used to create images in Windows), raising questions about whether Microsoft is tackling underlying issues.
There’s also some controversy over a fix issued this month for a bug in the Windows Media system. Security experts say the details of the vulnerability are very similar to past problems with other Windows components such as the Server Message Block issues fixed last month. That’s got them wondering how effective Microsoft’s procedures for checking programs for bugs before release really are.
Despite the size of this month’s update, it might not be enough to make Internet Explorer secure. Microsoft is investigating reports of a bug in IE7 which affects machines running XP or Windows 2003, even if they’ve been patched with the new update. At the moment there’s no evidence of hackers exploiting it, but instructions on how to do so are now online, making it only a matter of time.
Until Microsoft issues a fix, there doesn’t seem much users can do to protect themselves other than use an alternative browser. Those who do stick with Internet Explorer 7 should take particular care to avoid following links to rogue websites as that seems the most likely way hackers would exploit the bug.
Related Posts:
