The four updates detailed in the advance notice published today will quash bugs in Internet Explorer 7 (IE7); its Exchange mail server software; the Visio application that's part of the Office lineup; and SQL Server. The IE and Exchange vulnerabilities will be labeled critical, the company's highest threat ranking, while the SQL Server and Visio bugs will be marked as "important," one step lower.
That bug is notable for several reasons. When Micosoft confirmed the vulnerability in a Dec. 22 advisory, it noted that exploit code had been published. Several days later, the company admitted that it first received a report on the bug from Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, in April 2008.
"Three of these are all equally important, at least with the information we have today," Storms said about the IE, Exchange and SQL Server patches. "It all depends on an enterprise's infrastructure."
Companies are always sensitive to Exchange fixes, Storms continued, so the critical fix set for Exchange Server 2007, 2003 and 2000 will be parsed carefully. "Messaging is so important to the enterprise," Storms said, "that they'll want to spend a little extra time making sure the patch works." One plus, he said, is a "Does not require restart" note by Microsoft in today's bulletin.
"That could mean it's not necessarily a giant hole, or that we're just going to get lucky," said Storms. Because they won't have to restart their Exchange servers, IT administrators should be able to deploy the patch more quickly, he said.
"The IE vulnerability has to be something unique to IE7," wagered Storms. According to Microsoft, the critical vulnerability affects only that version of the browser, not IE6 or IE5.01, the latter edition specific to Windows 2000, and the oldest browser that the company still supports with security updates. Storms hesitated to guess what IE7-only issue might be patched. "It could be any number of things," he said. "Could be scripting or the antiphishing filter."
Microsoft's advance notice reported that the IE7 bug will be rated critical for both Windows XP and Windows Vista, but only "moderate" on Server 2003 and Server 2008.
Microsoft will release February's four updates at approximately 1 p.m. EST Tuesday.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127438
No comments:
Post a Comment