RealTime IT News

Patch Tuesday Targets 'Mammoth' Set of Flaws

It's Patch Tuesday today, and Microsoft (NASDAQ: MSFT) has released fixes for 11 security flaws -- six of which are rated "critical," the top-level alert, while the remainder rank as "important."

The 11 security bulletins together cover a total of 26 vulnerabilities, making this Patch Tuesday one of the broadest in recent memory. Microsoft has not released this many bulletins since February, and has not patched as many individual vulnerabilities on a single Patch Tuesday in the past two years.

"This is a mammoth Patch Tuesday, and we have not seen anything of this scale in a long time," said Karthik Raman, a research scientist at antivirus software vendor McAfee.

The six critical security flaws relate to Remote Code Execution vulnerabilities in Microsoft Windows, Internet Explorer, Media Access Player, Access, Excel, PowerPoint and Microsoft Office. All versions of Windows, from Windows 2000 to Vista, and Windows Server 2003 and 2008, are impacted. Microsoft today also released an updated version of the Microsoft Windows Malicious Software Removal Tool.

The latest Patch Tuesday comes as hackers continue finding new ways to circumvent security, and Microsoft, like most vendors, remains busy with efforts to battle them.

In particular, Microsoft has said it plans to work more closely with antivirus software vendors and developers of non-Microsoft software, and will introduce a new rating system to help users assess the danger from malware.

Security updates are available from Microsoft's Download Center. Microsoft also plans to host its traditional post-Patch Tuesday Webcast to discuss the vulnerabilities tomorrow at 11 a.m. PDT.

Today's flurry of activity follows a quiet Patch Tuesday last month, in which Microsoft issued only four security bulletins -- none labeled critical.

Wider efforts in response to wider threats

The efforts also come on the heels of increased worries about an expected upswing in hacker activity during the Olympic Games, in the form of e-mail spam and spoofed Web sites.

"Anything new is a two-edged sword, and criminal attackers are getting very good at exploiting the Internet for information and for creating markets," Internet Research Group analyst Peter Christy told InternetNews.com. "Microsoft and NBC are doing a lot of things to provide a lot of information about the Olympics online, and it's common sense that the criminals will leverage that."

However, Jordy Berson, group product manager at CheckPoint Software, said that while hacker attacks have increased in tandem with the Olympics, "it's not up to the level of the hype about it," and that organized cybercriminal rings have also contributed to the increase.

To better combat hackers, Microsoft last week announced that it would provide third-party security software vendors advance notice of the full details of impending updates provided they sign non-disclosure agreements and have a "significant Microsoft customer base."

"We welcome this new initiative," Alfred Huger, vice president of development at antivirus software vendor Symantec's Security Response unit, told InternetNews.com. "The bad guys work closely, and it's important that security vendors do so as well."

Symantec has "worked closely with Microsoft for some time," he added.

To further fight hackers, Microsoft has announced plans to introduce into future bulletins what it calls an "exploitability index", which will help users predict how likely a particular vulnerability is to being hacked. This will help users decide which fixes are more important.

In addition, Microsoft will work with third-party software developers to find fixes for problems in non-Microsoft software that could impact Windows users. Symantec's Huger also approves of the move.

"That type of leadership role is important for large vendors to assume if and when they can," Huger said. "The more helpful Microsoft can be in helping developers fix their software, the better, because there's a huge number of desktops out there running Microsoft."

Microsoft isn't the only company making security-related news this week. Riding the coattails of Patch Tuesday, Check Point Software is giving away full versions of its ZoneAlarm ForceField virtualized browser security solution for 24 hours, ending at 6 a.m. PDT tomorrow.

"We want to make a statement that browser security is as important as traditional security," CheckPoint's Berson told InternetNews.com. "Traditional firewall and antivirus software is important in its own right, but as organized crime has become the major way in which user identities are stolen and Web sites are attacked, there has to be an increased emphasis on browser security."