RSSMicrosoft Remedies 14 Flaws in Nine Patches
By Ed Oswald | Published August 14, 2007, 4:23 PM
Microsoft fixed a total of 14 flaws across 9 patches on Tuesday, with six of those patches reaching critical status. While the number of patches is far from the Redmond company's record, this month could prove difficult for administrators.
"This month's Patch Tuesday has headache written all over it," PatchLink's Paul Zimski commented. "Although this is not Microsoft's biggest Patch Tuesday in terms of number of patches, the details of the patches indicate a broad-spectrum of exposure."
Of the critical patches, all deal with remote code execution issues. The first patch fixes issues within the XML Core Services of Windows, while another corrects a memory corruption issue within the Object Linking and Embedding function in Windows, Visual Basic, and Office for Mac.
A third critical patch fixes a workspace memory corruption flaw within Excel, and issues in how the Graphics Rendering Engines handles specially crafted images have also been remedied.
Two critical patches for Internet Explorer were also released; one that fixes a buffer overrun vulnerability within Vector Markup Language, as well as a cumulative patch that contains three separate fixes for two ActiveX Object problems and a CSS memory corruption issue.
Three important patches are available as well: two for remote code execution issues and one that involves elevation of privilege. In addition, a fix for Windows Media player repairs two separate issues with the parsing and decompressing of skins used to change the look of the player.
Also fixed was an issue within Windows Vista concerning the "gadgets" feature. Microsoft says that malicious files could open the operating system up to remote code execution. Finally, a flaw in Virtual PC and Virtual Server that could result in elevation of privilege was also remedied.
"Organizations need to remediate these vulnerabilities as quickly as possible to avoid falling victim to quick turnaround exploits," Zimski said.
Jeez Louis! Remote code running through the GDI!?!
Score: 0
The inclusion of the optional Logitech camera software update was very poorly implemented. My computer's left hand had absolutely no idea of what its right hand was doing.
First, Logitech downloaded and supposedly installed from M$ update. However, there is then a Logitech updater which demands you to manually go thru the installation again. That procedure also asks for your original Logitech v.10 program disc. (That instruction can be ignored. Just click on thru.)
And even after all of that confusion, on one of my systems the update still had not taken hold. Why can't Microsoft get something right that it has been doing for a couple of years now?
Advice: Install the Logitech upgrade manually--since that's what you end up doing anyway.
Score: 0
How are IT departments supposed to keep up with these patches?
Firms that have any kind of standards (especially those that follow the ITIL system) have to perform testing for these patches and so can't afford to blindly deploy patches and take the chance on issues arising as a result.
Such firms are likely to be months out of date with what Microsoft are spitting out!
Score: 0
If you're using Windows, you're more than months out of date!
(grin)
Score: 0
Several options:
1. In smaller environments, you can turn on auto-updates. In larger environments with all kinds of configs, this might not be the best option as you stated.
2. MS gives you the option of standing up your own update server. Once you 'approve' each patch, then it gets pushed to all your client servers and desktops at the time you specify. Very simple process. You can redirect all clients to your update server via a policy. No need to visit each machine.
Patches are a way of life regardless of platform. You need to develop a policy and stick with it.
Score: 0