Microsoft Plans Nearly Dozen Patches

Critical vulnerabilities in Microsoft’s  Windows operating system and the widely-used Office application suite are part of 11 patches slated to be released next week, according to a Microsoft.

Six of the patches -– at least one deemed critical by Microsoft -– affect Windows users, while four address vulnerabilities in Office, one of them critically important. Another security bulletin targets a moderate security risk in Microsoft’s .NET  framework.

The 11 patches mark a resurgence in the number of security updates issued each month. While September saw just six security bulletins, it served as a breather from the 12 patches released in August.

Although the advance notification includes no details on what vulnerabilities the patches intend to fix, Microsoft has said at least one patch will answer a Windows flaw exploited by malicious hackers.

Monday Microsoft it would include a security update in response to proof-of-concept code able to exploit a flaw in the WebViewFolderIcon Active X control. The vulnerability cold enable malicious hackers to gain control of unpatched Windows 2000, Windows XP and Windows Server 2003 systems.

Office users could find the solution to a security headache discovered in September. That problem focused on a PowerPoint vulnerability that opened the door to Trojan attacks. While the exploit was rated a limited risk by security vendors, the exploit included email which created a backdoor for hackers to steal private information.

Microsoft responded by suggesting PowerPoint users employ PowerPoint Viewer 2003.

While the software maker issued an out-of-cycle patch to stem the tide of Web sites using a VML exploit, some security groups unwilling to wait for Oct. 10 released a string of third-party patches to fill the gap.

The VML exploit prompted the creation of the Zeroday Emergency Response Team (ZERT), a group of experienced security researchers. ZERT issued a fix for the VML vulnerability, as well as the WebViewFolderIcon issue.

But ZERT was not alone in offering Windows users an alternative source for security patches.

Monday, security vendor Determina also issued a patch for the ActiveX problem. Determina was not a newcomer to third-party patches. In March, the company was one of two vendors offering a free patch for the exploited “createTextRange()” vulnerability attacking IE users.

The year began with a patch from a Russian software developer to solve a hole in Windows Metafile (WMF).

Despite the increasing use of third-party security solutions, vendors point out Microsoft’s speed in reacting to the appearance of exploits is constrained.

While Microsoft is often criticized for waiting until Patch Tuesday to patch a flaw being exploited, the concept of once-a-month security updates was born to prevent confusion, vendors contend.

News Around the Web