We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft to patch IE and Exchange flaws

Four critical security upgrades next week

Microsoft yesteday said it will deliver four security updates on next week's Patch Tuesday, two of them pegged "critical". Microsoft will also finally issue a patch for Microsoft SQL Server that it's been working on since last April.

The four updates detailed in the advance notice published yestedaywill quash bugs in Internet Explorer 7 (IE7); its Exchange mail server software; the Visio application that's part of the Office line-up; and SQL Server. The IE and Exchange vulnerabilities will be labeled critical, the company's highest threat ranking, while the SQL Server and Visio bugs will be marked as "important", one step lower.

Microsoft will release the updates on February 10.

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

The SQL Server update will fix the vulnerability Microsoft acknowledged in late December 2008, said Andrew Storms , director of security operations at nCircle Network Security. "I did a line-up between the advisory with the affected versions of SQL Server," he said Thursday morning. "It's almost a one-for-one match."

That bug is notable for several reasons. When Microsoft confirmed the vulnerability in a Dec. 22 advisory, it noted that exploit code had been published. Several days later, the company admitted that it first received a report on the bug from Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, in April 2008.

Mueller disclosed the bug in early December after he grew tired of Microsoft's silence; he claimed that the company failed to return numerous messages in the two months prior when he asking for an update on the patch's progress.

Some security analysts had expected Microsoft to act faster. In late December, for example, Wolfgang Kandek , chief technology officer at security company Qualys, predicted that Microsoft would deliver a fix "out of band," a term used when patches are issued outside Microsoft's normal once-a-month schedule.

"Three of these are all equally important, at least with the information we have today," Storms said about the IE, Exchange and SQL Server patches. "It all depends on an enterprise's infrastructure."

Companies are always sensitive to Exchange fixes, Storms continued, so the critical fix set for Exchange Server 2000, 2003 and 2007 will be parsed carefully. "Messaging is so important to the enterprise," Storms said, "that they'll want to spend a little extra time making sure the patch works." One plus, he said, is a "Does not require restart" note by Microsoft in Thursday's bulletin.

"That could mean it's not necessarily a giant hole, or that we're just going to get lucky," said Storms. Because they won't have to restart their Exchange servers, IT administrators should be able to deploy the patch more quickly, he said.

"The IE vulnerability has to be something unique to IE7," wagered Storms. According to Microsoft, the critical vulnerability affects only that version of the browser, not IE6 or IE5.01, the latter edition specific to Windows 2000, and the oldest browser that the company still supports with security updates. Storms hesitated to guess what IE7-only issue might be patched.

"It could be any number of things," he said. "Could be scripting or the antiphishIng filter."

Microsoft's advance notice reported that the IE7 bug will be rated critical for both Windows XP and Windows Vista, but only "moderate" on Server 2003 and Server 2008.

Microsoft will release February's four updates on Tuesday.

Computerworld.com


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

See the festive spots creative companies have released for Christmas

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad