Microsoft's monthly Patch Tuesday update cycle has rolled around once again, and it's a busier month for sysadmins this time around with four critical vulnerabilities to be sorted.
According to an article over on CNet
, Windows users will enjoy a quartet of bug fixes in this latest release cycle – including two issues in Internet Explorer 7 on all Windows releases.
The IE bugs are rather nasty, allowing for remote code execution should a vulnerable PC visit a maliciously coded website – and Microsoft has used the release of the security bulletin regarding the issue to remind users that not running as a superuser all the time is best practice, saying that “users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
” Easier said than done, of course – especially when the default behaviour for Windows XP is to create an administrator-level user as the main, and often only, account.
It's not just desktop systems that are affected this month, either: Microsoft Exchange server has a pair of Critical issues of its own, one of which again allows for remote code execution and complete system penetration should a specially-crafted Transport Neutral Encapsulation Format message – those pesky winmail.dat
files you keep getting from Outlook users – be received. The second Exchange bug can allow a ne'er-do-well to carry out a denial of service attack via a special MAPI command – although this only results in server unavailability, not code execution.
While that covers all the Critical patches that arrived this Tuesday, that's not all that has been released: several Important updates have also been made available, including a fix for a possible remote code execution vulnerability in SQL Server, and a further three patches for Microsoft Office that fixes handling of malicious Visio files.
As well as the usual updates to the Outlook and Windows Mail Junk E-mail Filter and the Windows Malicious Software Removal tool, ITWire
is reporting that Microsoft has pushed out some updated ActiveX killbit packages – settings which prevent certain malicious ActiveX controls being installed within Internet Explorer, including versions of the Akamai Download Manager and RIM's AxLoader which have known security issues.
Hoping that the monthly patch cycle will pass by without a hitch, or are you concerned at the number of vulnerabilities that can result in remote code execution this time around – especially considering the light patch load last month? Share your thoughts over in the forums