Microsoft To Fix 26 Flaws With 13 Patches For Windows, Office
Of the 13 patches scheduled for release Tuesday, five are ranked critical, seven are rated with the slightly less severe ranking of "important" and one is deemed "moderate," according to Microsoft's advanced notification bulletin, released Thursday.
Also included in the February update are two Microsoft Office bulletins plugging holes in mainly older versions of Office. The Office patches won't apply to newer versions Office 2007 and Office 2008 for Mac that come equipped with more advanced security functions.
Thus far, there are no in-the-wild attacks exploiting the vulnerabilities. However, Microsoft researchers advised users to upgrade their systems with the latest software versions that incorporate elevated security protections in order to prevent possible future attacks -- in light of the fact that most of the patches protected against vulnerabilities in older systems.
"We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products," Microsoft said in a company blog post.
Included in Tuesday's impending update is a fix for a previously disclosed vulnerability in Windows Kernel, which Microsoft researchers detected in January. If exploited, the vulnerability could enable hackers to infiltrate a user's computer with elevated privileges.
Security experts say, however, that of all 13 patches, bulletin 6 is likely the most critical due to the fact that it provides a fix for critical errors in newer versions of Windows, including Vista, Windows 7 and Windows Server 2008. Most of the patches repair vulnerabilities in aging versions of Windows and Office.
"It's really the only one that's critical across the board," said Sheldon Malm, senior director of security strategy for Rapid7.
The February patch load, however, won't address a recent security vulnerability detected in Internet Explorer. Microsoft released a security advisory Wednesday warning users of an information disclosure flaw in IE running on Windows XP and older or on systems with disabled Protected Mode functions that could allow hackers to infiltrate a user's system to access and steal data from the victim's hard drive.
Microsoft also said that the upcoming patch load will not include a fix for a vulnerability in the Server Message Block protocol, which could be used by hackers to take control of or execute malicious code on a victim's computer. Microsoft issued a security advisory about the vulnerability in November.
Security experts say that February's heavy patch load is nothing new for this time of year. Historically, February is a patch-heavy month for Microsoft, following an anticipated lull in December and during the first few weeks of January. Experts also say that it follows Microsoft's pattern of light patch followed by heavy patch.
'If you look back, they're trying to do two to five (vulnerabilities) followed by 15 to 20," said HD Moore, chief security officer and chief architect for Metasploit. "Historically they've been doing 'big, small, big, small' for a really long time."