Microsoft to patch 20 bugs next week in month of Office updates

Single critical update will fix serious flaws in Office 2007, 2010 on Windows that hackers could use to hijack PCs

By , Computerworld |  Security, Microsoft, Microsoft Office

The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.

Most of them can be postponed, the experts said today, at least according to the information available in the bare-bones advance notice.

"Bulletin 7 [the SQL Server update] will depend on the attack vector Microsoft reveals next week," said Storms. "If it's an elevation of privilege bug that's difficult [for hackers] to get to, you'll be better off waiting."

Storms based that advice on the calendar: Many enterprise lock down their networks, servers especially, in October and early November to insure they're running during the crucial holiday season. During a lockdown period, IT administrators pass on all patching, just in case a fix causes problems. SQL Server is often a mission-critical part of a company's back-end infrastructure, powering databases that manage online sales stores.

Alex Horan, senior product manager at Core Security, gave a nod to Bulletin 7, too, but for a different reason. "These patches highlight the amount of code that is being reused," said Horan. "Bulletin 7 involves code reused in versions since 2000. That's 12 years of reused, and now vulnerable code."

It's possible, Horan continued, that the vulnerabilities have been quietly exploited for years.

Also next Tuesday, Microsoft will begin rolling out a long-planned update that invalidates all certificates with keys less than 1,024 bits long.

It was in June that Microsoft first told users it was going to disable those certificates, saying at the time that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update that month, but made it an optional download. Next week, Microsoft will effectively push it to everyone.

The update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by throwing the kill switch on three of its own certificates.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question