As part of Microsoft's regular Patch Tuesday schedule, the company released two patches that fix eight holes in Windows and Microsoft Office. Both patches have an overall rating of "important" but using another metric, Microsoft's Exploitability Index, they have earned the highest rating of "1." This means that Microsoft Security believes that exploit code is not only likely, but that it can be created in such a way as to be consistently successful.
Equally important was the stuff Microsoft did not choose to patch, but is investigating, or simply warning users about with workarounds that involve turning off the vulnerable feature. I'll get to those details in a minute. For now, here are the two patches:
In addition, Microsoft issued two "heads up" alerts about reported holes in Internet Explorer 6 and IE 7 (not IE8) and VBScript. Microsoft is investigating both holes, but has not yet created patches for them. As for the IE hole, Microsoft says that it has heard of some targeted attacks that could allow remote code execution, but some versions of the browser are not affects. "Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable."
The VBScript hole is also said to allow an attacker to executive code remotely thanks to everybody's favorite browser, Internet Explorer. It is reported to occur on Windows 2000, XP, Windows Server 2003.
A third interesting item to note this month is that users of Microsoft Producer 2003 are affected by the Movie Maker hole (MS10-016), says Miller, and no patch will be coming in the foreseeable future. Microsoft is instead advising administrators to get rid of the problematic component on user's machines.
Posted by Julie Bort
Like this post? Check out these others.
- Microsoft at last releases famed Red Hat/Linux virtualization drivers
- Microsoft redeeming itself on security issues?
- Microsoft publishes Outlook PST files, but uses funky patent language
- Microsoft confirms rootkit to blame for Windows crashes after patch is installed
- IE 6: Patch Tuesday won't be the same without you
- Microsoft fixes 26 security holes, warns on unpatched multi-vendor SSL vulnerability
- Introducing Windows Multipoint Server 2010
- SSIS 2008 Lookup Caching…
- 7 big IT orgs that showed Microsoft the door
Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited