|
It's Patch Tuesday today, and Microsoft (NASDAQ: MSFT) has
released fixes for 11 security flaws -- six of which are rated "critical," the
top-level alert, while the remainder rank as "important."
The 11 security bulletins together cover a total of 26 vulnerabilities, making
this Patch Tuesday one of the broadest in recent memory. Microsoft has not
released this many bulletins since February, and has not patched as many
individual vulnerabilities on a single Patch Tuesday in the past two years.
"This is a mammoth Patch Tuesday, and we have not seen anything of this scale in
a long time," said Karthik Raman, a research scientist at antivirus software
vendor McAfee.
The six critical security flaws relate to Remote Code Execution vulnerabilities
in Microsoft Windows, Internet Explorer, Media Access Player, Access, Excel,
PowerPoint and Microsoft Office. All versions of Windows, from Windows 2000 to
Vista, and Windows Server 2003 and 2008, are impacted. Microsoft today also
released an updated version of the Microsoft Windows Malicious Software Removal
Tool.
The latest Patch Tuesday comes as hackers continue finding new ways to
circumvent security, and Microsoft, like most vendors, remains busy with efforts
to battle them.
In particular, Microsoft has said it plans to work more closely with antivirus
software vendors and developers of non-Microsoft software, and will introduce a
new rating system to help users assess the danger from malware.
Security updates are available from Microsoft's Download Center. Microsoft also
plans to host its traditional post-Patch Tuesday Webcast to discuss the
vulnerabilities tomorrow at 11 a.m. PDT.
Today's flurry of activity follows a quiet Patch Tuesday last month, in which
Microsoft issued only four security bulletins -- none labeled critical.
Wider efforts in response to wider threats
The efforts also come on the heels of increased worries about an expected
upswing in hacker activity during the Olympic Games, in the form of e-mail spam
and spoofed Web sites.
"Anything new is a two-edged sword, and criminal attackers are getting very good
at exploiting the Internet for information and for creating markets," Internet
Research Group analyst Peter Christy told InternetNews.com. "Microsoft and NBC
are doing a lot of things to provide a lot of information about the Olympics
online, and it's common sense that the criminals will leverage that."
However, Jordy Berson, group product manager at CheckPoint Software, said that
while hacker attacks have increased in tandem with the Olympics, "it's not up to
the level of the hype about it," and that organized cybercriminal rings have
also contributed to the increase.
To better combat hackers, Microsoft last week announced that it would provide
third-party security software vendors advance notice of the full details of
impending updates provided they sign non-disclosure agreements and have a
"significant Microsoft customer base."
"We welcome this new initiative," Alfred Huger, vice president of development at
antivirus software vendor Symantec's Security Response unit, told
InternetNews.com. "The bad guys work closely, and it's important that security
vendors do so as well."
Symantec has "worked closely with Microsoft for some time," he added.
To further fight hackers, Microsoft has announced plans to introduce into future
bulletins what it calls an "exploitability index", which will help users predict
how likely a particular vulnerability is to being hacked. This will help users
decide which fixes are more important.
In addition, Microsoft will work with third-party software developers to find
fixes for problems in non-Microsoft software that could impact Windows users.
Symantec's Huger also approves of the move.
"That type of leadership role is important for large vendors to assume if and
when they can," Huger said. "The more helpful Microsoft can be in helping
developers fix their software, the better, because there's a huge number of
desktops out there running Microsoft."
Microsoft isn't the only company making security-related news this week. Riding
the coattails of Patch Tuesday, Check Point Software is giving away full
versions of its ZoneAlarm ForceField virtualized browser security solution for
24 hours, ending at 6 a.m. PDT tomorrow.
"We want to make a statement that browser security is as important as
traditional security," CheckPoint's Berson told InternetNews.com. "Traditional
firewall and antivirus software is important in its own right, but as organized
crime has become the major way in which user identities are stolen and Web sites
are attacked, there has to be an increased emphasis on browser security."
|
