Microsoft released 11
security updates Tuesday fixing critical flaws in its products, including a
publicly known ActiveX bug that affects users of the Visual FoxPro database.

In total, 17 individual software flaws were patched in the updates. Microsoft
rates six updates as critical, meaning they should be installed as soon as possible,
while the remaining five updates are considered "important." Last
month was an easier month on IT administrators, when Microsoft released just
two updates.

Microsoft surprised some by releasing one less update than expected. Last Thursday
the software vendor had said that it was readying a fix for critical VBScript
and JScript flaws in Windows 2000, XP, and Windows Server 2003. That update
wasn't included in this week's patches, but on Tuesday Microsoft wouldn't confirm
that it had actually dropped the update because "this could put customers
at risk," according a spokeswoman for the company's public relations agency.

Security experts said Tuesday that the MS08-010 update, which fixes four bugs
in Internet Explorer, should take top priority this week. "There are four
vulnerabilities within that particular patch and all of them are remote-code
executable," said Jonathan Bitle, director of technical account management
with Qualys.

"The way we're looking at it, our prioritization would put MS08-010
at the top followed by MS08-007," said Don Leatham, director of solutions
and strategy with Lumension Security.

MS08-010 fixes a publicly disclosed ActiveX bug that affects Visual FoxPro
users. Although hackers have already posted code showing how to exploit this
vulnerability, the buggy ActiveX control is not included in Internet Explorer
7's default list of controls, so the flaw should not affect most users.

The MS08-007
update fixes a critical flaw in the Windows XP and Vista WebDAV redirector software.
WebDAV is a Web-based document sharing protocol. The flaw is rated important
for Windows Server 2003 users.

Microsoft's Office products are also a major source of patches this month.

Tuesday's updates include critical fixes for Microsoft
Word, Office
Publisher and in Office itself.

There is also a critical update for Windows' Object
Linking and Embedding (OLE) Automation software.

The remaining updates, rated important, are for Active
Directory, the Vista
TCP/IP stack, the Microsoft
Works file converter and two
bugs in the Internet Information Services (IIS) Web server.

The Patch Tuesday updates show that client-side bugs continue to be a much
higher risk than server-side vulnerabilities, said Andrew Storms, director of
security operations with nCircle. "One would have assumed that the IIS
and Active Directory vulnerabilities would have been the most serious because
they stand at the core of an enterprise and provide more critical services"
he said via instant message. "But with this month's patches, the hacker's
best bet is to take advantage of the client-side attacks."

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine