Microsoft is preparing for July’s Patch Tuesday, which centers on Windows and Office. With only four bulletins — compared to 10 bulletins with a record-tying 34 vulnerabilities in June — IT admins can breathe at least a partial sigh of relief.
Still, there’s plenty to patch in July, including a vulnerability a Swiss Google engineer made public in June. Google engineer Tavis Ormandy published attack code for a vulnerability in Windows XP’s Help and Support Center, which lets users access and download Microsoft help files from the Internet. Support technicians also use the Help and Support Center to launch remote support tools on a PC.
Ormandy has been criticized because he only gave Microsoft five days to fix the problem before going public with details about how hackers could write malicious code to exploit the flaw. Sophos Security Consultant Graham Cluley called it an “irresponsible disclosure.” Making matters worse, Microsoft said the flaw also affects Windows Server 2003.
Exploring Windows Flaws
“Keeping IT professionals as busy as the air-conditioning units in New York City this week, Microsoft announced today that next Tuesday they will release four security bulletins to address five separate current vulnerabilities, with three that are rated critical and one of the critically rated bulletins requiring a restart of server-class machines,” said Don Leatham, senior director of solutions and strategy at Lumension.
Bulletins 1 and 2 both affect Microsoft Windows — and they are both rated critical. The vulnerabilities could allow remote code execution, typically the most-feared exploit.
Leatham said Bulletin 2 will have a huge impact because it affects Windows 7 desktop users and Windows 2008 R2 servers, which are Microsoft’s most current and widely deployed desktop and server solutions. IT departments with Windows 7 and/or Windows 2008 R2 should be ready to prioritize this bulletin, he warned.
Exploring Office Flaws
Bulletin 3 and 4 affect Microsoft Office. While Bulletin 3 is rated critical, Leatham said IT admins should feel fortunate that its impact will be limited to only those organizations that have built applications and processes using Microsoft Access.
Bulletin 4 is only rated important. Nonetheless, Leatham strongly encouraged users to pay attention to this since it addresses a vulnerability in Microsoft Outlook, Microsoft’s popular e-mail client. Vulnerabilities in e-mail clients are always a concern, he said.
As Leatham sees it, the good news is that with the release of these four bulletins next week, Microsoft will take care of the two recent security advisories — the vulnerability in the Canonical Display Driver that could allow remote code execution, and the Google-exposed flaw — that have been under attack now for a few weeks.
Meanwhile, security researchers are still irate about how Ormandy handled his disclosure. “A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed,” Cluley said. “Five days isn’t a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn’t cause more problems than it intends to correct.”