[ISN] Microsoft Plans Six Security Updates, Two For Windows Vista

From: InfoSec News (alerts@private)
Date: Fri Jun 08 2007 - 07:06:02 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=199902337

By Sharon Gaudin
InformationWeek
June 7, 2007

Gearing up for next week's Patch Tuesday release, Microsoft announced on 
Thursday that it's preparing six security updates -- four of them for 
critical bugs.

One security update actually can patch multiple vulnerabilities so it's 
unclear at this point how many flaws next week's releases will fix. 
Microsoft, though, did announce in its Security Bulletin Advance 
Notification that each of the four critical updates will affect Windows 
software, while only one affects Internet Explorer. Another one will 
address issues in Outlook Express, as well as Windows Mail.

One critical vulnerability affects Windows Mail in Windows Vista and 
Windows Vista x64 edition. There another patch for Windows Vista that's 
rated "moderate".

All of the critical bugs being fixed enable remote code execution, 
meaning that a remote hacker could take over an infected system.

The one security bulletin that received Microsoft's second-highest 
threat rating of "important" affects the Office application suite, as 
well as Microsoft Visio, which is diagramming software. The flaw being 
fixed also enables remote code execution. It's not yet clear why this is 
not a critical flaw, as nearly all remote code execution vulnerabilities 
are rated that way.

The 'moderate' security bulletin affects a bug in Windows that causes 
information disclosure.

Johannes Ullrich, CTO for the Internet Storm Center, a cooperative cyber 
threat-monitoring and alert system, said this seems like an average size 
patch release for Microsoft -- slightly less than last month when 
Microsoft released seven bulletins in its monthly patch release. He is 
hoping, though, that several of the outstanding Internet Explorer flaws 
are fixed in the June 12 release.

"There are about six publicly known IE bugs out there," he added in an 
interview. "Typically, Microsoft issues patches that fix multiple bugs. 
Last month, four vulnerabilities were fixed with one IE patch. That 
would be good."

Ullrich also is hoping that Microsoft patches several outstanding Office 
vulnerabilities. "It's definitely one of the issues that keeps bugging 
users," he said. "We haven't seen any of them widely used yet. They're 
being used in smaller, targeted attacks."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 08 2007 - 07:21:15 PDT