Super bundle of Microsoft security patches
- 14 August, 2007 22:00
Microsoft has released what security experts are calling one of it most significant security fixes this year.
On Tuesday morning, the software maker pushed out nine sets of patches, called updates in Microsoft parlance, fixing a total of 14 bugs in its software. Six of these updates are rated critical by Microsoft, meaning that attackers could exploit the flaws with no user action required. The other three updates are rated important.
It is the largest set of updates released by Microsoft since February.
"This is an intense month" said Don Leatham, director of solutions and strategy with PatchLink.
Leatham is particularly concerned with the MS07-046 update, which fixes a critical flaw in the graphics rendering system used by Windows. The flaw lies in the Windows graphics device interface (GDI) software used to send graphics data to printers and monitors.
Microsoft says that attackers could exploit this flaw by tricking a victim into opening a specially crafted email attachment, but because the bug lies in a core component of Windows, Leatham believes that there may be other ways to exploit the flaw. "I think this will be a target of the hacking community," he said. "if it's clear down in the graphics rendering engine, I'm assuming that there may be other ways to exploit this, because the graphics rendering engine is used by many applications."
The flaw affects all supported versions of Windows, except Windows Vista and Windows Server 2003 Service pack 2.
Three other patches, fixing critical flaws in Excel and Internet Explorer should also be given priority, said Amol Sarwate, manager of Qualys Inc.'s vulnerability research lab. Those updates are MS07-044, MS07-045 and MS07-050.
These desktop applications are generally "the weakest link" in corporate security and are increasingly being targeted by attackers, Sarwate said.
All of the vulnerabilities patched Tuesday affect some components of the desktop, Sarwate noted. None of the bugs patched Tuesday had been publicly disclosed, he said.
Other critical updates relate to the XML Core Services used by Internet Explorer to process XML (Extensible Markup Language) pages and the Object Linking and Embedding (OLE) technology used by some Windows applications.
With 50 security updates now released, Microsoft has kept pace with last year's patch output. By August of 2006, Microsoft has issued 51 updates.