Tweet
On Tuesday, Microsoft released a slew of patches to fix eight "critical" security flaws in Windows and Microsoft Office. The patches released yesterday mark the biggest security update from Microsoft since February 2005.
The Redmond, Washington, software vendor only uses the term "critical" to refer to potentially dangerous vulnerabilities that could enable hackers to take control of a computer remotely.
"This bumper pack of security patches should be treated seriously by firms running Windows, and any computer user who relies on Microsoft software," said Graham Cluley, a senior technology consultant at security firm Sophos.
"Any time that Microsoft is prepared to go public and say that there is a critical problem in its software, everyone should sit up, listen, and be sure to take the necessary action to expedite their protection," he said. "In the past, hackers have quickly followed vulnerability announcements from Microsoft with attacks, so it's important that people take these advisories seriously."
Critical Issue
Altogether, there are 12 patches dealing with 21 security vulnerabilities, addressing issues in Windows, Internet Explorer, Word, PowerPoint, and Exchange Server. Notably, this month's set of patches includes fixes for a critical zero-day flaw in Microsoft Word and an Internet Explorer flaw relating to how the browser deals with ActiveX controls.
Cluley said he was pleased that Microsoft had patched the "very serious" hole in Microsoft Word. "That zero-day vulnerability has been causing concern for many people and was being exploited, albeit, thankfully, to a limited extent in the wild."
As it has done on previous "patch Tuesdays," Microsoft released an updated version of its Windows Malicious Software Removal Tool.
You can go to www.microsoft.com/security/ to download the updates manually or select "Windows Update" in the Tools menu in Internet Explorer to be taken to the more streamlined update system.
In the coming days, the updates should be rolled out automatically to those users who have their PCs set to check for updates regularly.
Vulnerability Upswing
Dean Turner, a senior manager for Symantec Security Response, said that his firm has noticed a major increase in the number of reported software vulnerabilities in recent months and suggested that the vulnerabilities are not necessarily the fault of careless software developers.
"As users' demands on their computers grow, there is a corresponding increase in the complexity and length of software code," he said. "What Symantec would like to see is a push for security-auditing practices among software developers."
Turner went on to say that 69 percent of the software vulnerabilities reported to Symantec in the last six months of 2005 related to Web applications.
"The problem is that there are a lot of low-level Web application development tools out there, which allow relatively inexperienced programmers to create Web apps," he said. "These programmers may not be familiar with the need to audit their Web apps for security weaknesses, and so will not subject their software to the security testing that companies such as Microsoft or Symantec carry out."
Examples of Web apps that might contain flaws include bulletin boards, Web-based e-mail systems, or Web-based chat services, Turner said.
"Over the last few years, we have seen a big shift away from hackers attacking Web sites purely for fun or for celebrity towards financial crime," he said. "Web attacks are all about money these days."
The Redmond, Washington, software vendor only uses the term "critical" to refer to potentially dangerous vulnerabilities that could enable hackers to take control of a computer remotely.
"This bumper pack of security patches should be treated seriously by firms running Windows, and any computer user who relies on Microsoft software," said Graham Cluley, a senior technology consultant at security firm Sophos.
"Any time that Microsoft is prepared to go public and say that there is a critical problem in its software, everyone should sit up, listen, and be sure to take the necessary action to expedite their protection," he said. "In the past, hackers have quickly followed vulnerability announcements from Microsoft with attacks, so it's important that people take these advisories seriously."
Critical Issue
Altogether, there are 12 patches dealing with 21 security vulnerabilities, addressing issues in Windows, Internet Explorer, Word, PowerPoint, and Exchange Server. Notably, this month's set of patches includes fixes for a critical zero-day flaw in Microsoft Word and an Internet Explorer flaw relating to how the browser deals with ActiveX controls.
Cluley said he was pleased that Microsoft had patched the "very serious" hole in Microsoft Word. "That zero-day vulnerability has been causing concern for many people and was being exploited, albeit, thankfully, to a limited extent in the wild."
As it has done on previous "patch Tuesdays," Microsoft released an updated version of its Windows Malicious Software Removal Tool.
You can go to www.microsoft.com/security/ to download the updates manually or select "Windows Update" in the Tools menu in Internet Explorer to be taken to the more streamlined update system.
In the coming days, the updates should be rolled out automatically to those users who have their PCs set to check for updates regularly.
Vulnerability Upswing
Dean Turner, a senior manager for Symantec Security Response, said that his firm has noticed a major increase in the number of reported software vulnerabilities in recent months and suggested that the vulnerabilities are not necessarily the fault of careless software developers.
"As users' demands on their computers grow, there is a corresponding increase in the complexity and length of software code," he said. "What Symantec would like to see is a push for security-auditing practices among software developers."
Turner went on to say that 69 percent of the software vulnerabilities reported to Symantec in the last six months of 2005 related to Web applications.
"The problem is that there are a lot of low-level Web application development tools out there, which allow relatively inexperienced programmers to create Web apps," he said. "These programmers may not be familiar with the need to audit their Web apps for security weaknesses, and so will not subject their software to the security testing that companies such as Microsoft or Symantec carry out."
Examples of Web apps that might contain flaws include bulletin boards, Web-based e-mail systems, or Web-based chat services, Turner said.
"Over the last few years, we have seen a big shift away from hackers attacking Web sites purely for fun or for celebrity towards financial crime," he said. "Web attacks are all about money these days."
Comment