Microsoft Corp. said this week it would issue seven security updates, three of which are “critical,” to patch Windows components including versions 6 and 7 of Internet Explorer.
It also looks like Microsoft will disable a vulnerable third-party program, said Andrew Storms, director of security operations at nCircle.
“Maybe this is a new trend by Microsoft, issuing kill bit updates to mitigate risks,” said Storms, referring to one of the seven updates. “Kill bit” is the term Microsoft coins to describe setting a flag in the Windows registry that disables a specific ActiveX control; the company regularly advises users to set the kill bit in lieu of a formal patch for a control that contains a bug.
In April, Microsoft issued a kill bit update for an ActiveX control distributed by Yahoo Inc. for its Yahoo Music Jukebox. At the time, Microsoft said it would lock down other vendors’ software at their request by releasing fixes through Windows Update.
“If Microsoft was patching one of its own ActiveX controls, I would think it would say it’s fixing something in ‘ActiveX,’ but because it’s labeled this as ‘kill bit,’ it leads me to think that it involves a third-party,” said Storms.
Overall, he continued, the seven-update list is “one of the most diverse and interesting in a long time. It runs the gamut as far as the distribution of where they are in the operating system and software. The only thing we’re missing is [a vulnerability for] Excel or Outlook and we’d have one for everything that Microsoft makes.”
Microsoft rated three of the seven updates “critical,” its highest threat ranking, while three are tagged “important,” one step lower, and the seventh — the kill bit update — was marked as “moderate.” The critical updates will patch Bluetooth, DirectX and IE in Windows, according to the pre-patch notification Microsoft issued Thursday,
It’s unlikely, however, that the IE update will address the vulnerability that Microsoft warned users about last week, said Storms. “It could,” he offered, “but I don’t think it would have something this quick.” That bug, when combined with a flaw in Apple Inc.’s Safari Web browser, leaves users open to attack, Microsoft said in a security advisory issued last Friday.
The patch will fix IE6 and IE7 running in all supported editions of Windows, including Windows 2000, XP, Server 2003, Vista and Server 2008. Microsoft has pegged the IE fixes in the client operating systems as critical, but only as moderate on the server side.
Storms also called out the Bluetooth update as noteworthy. “A lot of people will be looking at this one,” he said. “Does the vulnerability carry over into the mobile side, or is it only around the desktop?” Bluetooth vulnerabilities, Storms added, are rare and often resemble the “man-in-the-middle” bugs that are sometimes exploited in 802.11-based wireless scenarios.
Two updates — one for Windows Internet Name Service (WINS) and the other for Active Directory — affect only server software. While Microsoft rated both as important, Storms said enterprises may think differently. “Active Directory is such a critical core component. Large enterprises will certainly need to roll out these two, and it will take them some time, because of the testing they’ll need to do.”
The seven security updates will be posted Tuesday, June 10, around 1 p.m. EDT.
