Microsoft patches include cumulative IE fix
Microsoft today pushed out six security updates to address vulnerabilities, one less than the company promised last week.
The update delivered four bulletins to correct seven "critical" vulnerabilities in Outlook Express, Internet Explorer (IE) and Microsoft Word.
"We're really trending toward client-base vulnerabilities, where if you visit an evil website, you get hacked," Eric Schultze, chief security architect at Shavlik Technologies, said.
Don Leatham, director of solutions and strategy at Lumension Security, said that MS07-057 – a cumulative patch for three privately reported flaws and one publicly reported flaw in IE – could do the most harm to company networks. The flaws could result in remote code execution should users view a malicious website.
Andrew Storms, director of nCircle security operations, said the IE patch includes fixes for an address bar spoofing vulnerability and a memory handling corruption bug related to a malformed ActiveX control.
Meanwhile, Schultze said organisations should pay particular attention to MS07-060, which corrects a bug in Word. Microsoft said hackers actively are exploiting the vulnerability, which impacts Office 2000 and XP versions.
Ben Greenbaum, a senior security manager with Symantec Security Response, said the ubiquity of Outlook Express and Windows Mail makes MS07-056 the most pressing patch for organisations to extend to their end-users. The fix addresses a flaw caused by failure to handle malformed network news transfer protocol (NNTP) responses.
"The vulnerability…has the potential to be the worst of the batch because these applications [Outlook Express and Windows Mail] come packaged with nearly every release of the Windows operating system," Greenbaum said.
The other critical patch addresses a vulnerability in the Kodak Image Viewer.
Microsoft delivered two fixes labeled "important," the most notable of which addresses a denial-of-service bug in the remote procedure call (RPC). Attackers could exploit the vulnerability to send malicious packets that could take down an Exchange Server, Schultze said.
Microsoft had planned to release another "important" patch, but decided to scrap it, presumably due to problems that arose during testing, experts said.