With hackers exploiting unpatched vulnerabilities in its Windows and Office software, Microsoft Corp. plans to issue 11 security updates on Tuesday.
Some of the Office and Windows updates will be for critical flaws that could be exploited by attackers with no action on the part of users. Six of the patches will be for Windows, and four of them will be for Office, Microsoft said Thursday in a note on its Web site. That note can be found at this Web site.
The 11th update will be for a flaw in Microsoft’s .Net framework, which is considered less severe than the critical Windows and Office patches.
October 10 also marks the end of the line for Windows XP Service Pack 1, which will no longer be supported by Microsoft as of that date. Microsoft’s advisory on this issue can be found at this Web site.
Though the vast majority of Windows XP users have migrated to Service Pack 2, released two years ago, lately there has been an uptick of interest in Service Pack 2 migration issues on patch management discussion lists, said Susan Bradley, chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp. “There are still people out there using Service Pack 1,” she said.
Those who haven’t made the move may be running specialized applications that do not support Service Pack 2 but this kind of legacy software issue is usually less pronounced with client operating systems like Windows XP, said Chris Andrew, vice president of security technologies at PatchLink Corp. “Now pretty much everybody is running Service Pack 2, so I don’t think there’s going to be a significant outcry,” he predicted.
Hackers have been keeping Microsoft’s Security Response Center busy this past month.
Microsoft generally issues its security patches on the second Tuesday of every month, but last week the company was forced to issue a rare, “out-of-cycle” security patch after criminals began exploiting a flaw in Internet Explorer’s VML (Vector Markup Language) rendering engine.
And security experts have also warned of cyberattacks based on unpatched flaws in PowerPoint, Word 2000 and in an ActiveX control (called WebViewFolderIcon) used by the Windows’ graphical user interface software.
The WebViewFolderIcon flaw will be patched Tuesday, Microsoft said. Attacks that take advantage of this flaw have been seen on the Internet, the SANS Internet Storm Center warned earlier this week. The SANS warning can be found at this Web site.