Microsoft releases super bundle of security patches

Microsoft has released what security experts are calling one of the most significant security fixes this year. On Tuesday morning, the software maker pushed out nine sets of patches, called updates in Microsoft parlance, fixing a total of 14 bugs in its software. Six of these updates are rated critical by Microsoft, meaning that attackers could exploit the flaws with no user action required. The other three updates are rated important. It is the largest set of updates released by Microsoft since February.

"People should definitely cancel their dinner plans and make sure they take this one seriously because both the breadth and impact of these are important," said Don Leatham, director of solutions and strategy with PatchLink. "This is an intense month."

Leatham is particularly concerned with the MS07-046 update, which fixes a critical flaw in the graphics rendering system used by Windows. The flaw lies in the Windows graphics device interface software used to send graphics data to printers and monitors. Microsoft says that attackers could exploit this flaw by tricking a victim into opening a specially crafted e-mail attachment, but because the bug lies in a core component of Windows, Leatham believes that there may be other ways to exploit the flaw. "I think this will be a target of the hacking community," he said. "if it's clear down in the graphics rendering engine, I'm assuming that there may be other ways to exploit this because the graphics rendering engine is used by many applications." The flaw affects all supported versions of Windows, except Windows Vista and Windows Server 2003 Service pack 2.

Three other patches, fixing critical flaws in Excel and Internet Explorer should also be given priority, said Amol Sarwate, manager of Qualys's vulnerability research lab. Those updates are MS07-044 , MS07-045, and MS07-050. These desktop applications are generally the weakest link in corporate security and are increasingly being targeted by attackers, Sarwate said. All of the vulnerabilities patched Tuesday affect some components of the desktop, Sarwate noted. None of the bugs patched Tuesday had been publicly disclosed, he said.

Other critical updates relate to the XML Core Services used by Internet Explorer to process XML pages and the Object Linking and Embedding technology used by some Windows applications. The less-critical updates fix bugs in the Windows Media Player , Microsoft Virtual PC and Virtual Server, and in Windows Gadgets. With 50 security updates now released, Microsoft has kept pace with last year's patch output. By August of 2006, Microsoft had issued 51 updates.

News source: InfoWorld

Report a problem with article
Previous Story

Dell XPS 700 / 710 Motherboard Exchange Program Begins

Next Story

IMDb Loses Advertisers Over Adult Listings

41 Comments

Commenting is disabled on this article.

Quote - Don Leatham
"People should definitely cancel their dinner plans and make sure they take this one seriously because both the breadth and impact of these are important," said Don Leatham

"Sorry babe, I'm gonna have to cancel our date tonight, I've gotta go home and patch my computer"

That would go over well...

Hate to say it as i am sure some of you did, but if you are willing to cancel dinner plans to patch windows you really need a life, and i am guessing do NOT have a Girlfriend

no wonder anything that was microsoft was't working last night... I couldn't even activate programs! it timed out with 3 seperate apps I tried to activate... and windows update was timing out... I am still downloading updates via auto update... its only 9% after 12 hours all other stites are working fine! (non-ms ones)

I have noticed permanent high CPU usage after installing these updates on Vista, even when there's no programs running 10 to %20 all the time CPU at least. anyone else experiencing this?

I had to download each update and install separately.

They downloaded in Microsoft Update, but nothing would install. No error code or anything.

Even Automatic Updates wouldn't install them.

Using Windows XP Pro x64 SP2 (Genuine)

Really odd..

Interestingly enough, whenever my Nokia E61 tries to automatically sync via Bluetooth (with Nokia PC Suite) on Vista x64 after installing these updates, the system blue screens.

Time to do a little experimenting - in the meantime, I'll just have to drop it into the cradle on my desktop to sync. *sigh* Such a hard life... ;-)

Croquant said,
Hey, look! Yet ANOTHER reason not to switch to Vista.

hey look, yet another idiot that has never tried vista for more then 60 seconds....

sirghost said,

hey look, yet another idiot that has never tried vista for more then 60 seconds....

these are the most annoying posts, "well if you don't like it it must be casue you have not used it", i have used it lots and even a little more, and it SUX, even if you leave it the 2 days it takes to index (which i still say is crap)

whocares78 said,

these are the most annoying posts, "well if you don't like it it must be casue you have not used it", i have used it lots and even a little more, and it SUX, even if you leave it the 2 days it takes to index (which i still say is crap)

Hey, you know what? You can turn indexing off. Yeah, amazing huh?

15 Days Ago, Apple Released Patches That Fixed Fifty Vulnerabilities

http://news.com.com/8301-10784_3-9752986-7.html

In what appears to be a monthly patch cycle, Apple today released Security Update 2007-007. This update affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9 and fixes fifty vulnerabilities with half as many patches. It appears Apple is clearing house in advance of the annual Black Hat security conference; the iPhone vulnerability was reported by one of Black Hat's scheduled speakers, Charlie Miller. This update is available from within Mac OS X via the Software Update pane in System Preferences, or from Apple's Software Download .

Microsoft can fix a billion vulnerabilities with one patch too. It's called a Service Pack.

The concept existed back in '95. Nothing new or revolutionary.

whocares78 said,
and thepoint of this post is what exactly?

Its the typical crap, "ooh, Windows has patches, but [product] has even more!" its trying to prove something is good by finding something worse out there. I wonder sometimes if these people actually don't want to see faults found and corrected.

kaiwai said,

Its the typical crap, "ooh, Windows has patches, but [product] has even more!" its trying to prove something is good by finding something worse out there. I wonder sometimes if these people actually don't want to see faults found and corrected.

totally agree, it appears a lot of the time that people get annoyed when patches are released. i don't get it it is stupid if you ask me patches only do good, well done to MS for fixing ithe bugs and while i am at it good on you apple for fixing some too.

My Windows XP is pirated - NOT MY CHOICE by the way!!! The PC was bought that way and I haven't had a chance to remedy it.

Yet I am able to get Windows Updates if "Automatic Updates" is on. Is this normal?

it is absolutley normal, until you get the windows genuine validation update, then your screwed and start getting them annoyign messages P.s It had to be your choice, if not report whoever sold it to u and you get a free copy, well you used to, don't know if MS is still doing it, but i know they were at one point

Croquant said,
There's lots of ways around WGA. I could tell you about them here, but then I'd get baned. :disappointed:

most of whcih are pretty dodgy and only work until it si again upgraded, although i know a few that use illegitimate copies even though they have legitimate licenses cause the actvation can be soooo anoying

i havent looked specifically for that error but generally from my expierience when an update fails via auto update it is generally becasue one update failed, all i usually do is find the failed update manually donwload and install it, after that auto update works fine again

LMAO that doesn't read very good, try again

When auto update has errors and does not update, it is generally becasue one update failed, all i usually do is find the failed update manually donwload and install it, after that auto update works fine again

caused problems to install some of the updates... on my vista machine.
took a long time to log in...
anyone else had this problem?

Wow really?!?! Thanks for telling us! That's great! Hey if you get time why don't you start a thread about how many blades of grass you have in your lawn ok?

hapbt said,
Wow really?!?! Thanks for telling us! That's great! Hey if you get time why don't you start a thread about how many blades of grass you have in your lawn ok?

1122213453431341241234 blades LMAO

8 updates for this particular machine of mine. 6 more machines to go!!

Just installed Office 2003 on here. Had 15 updates for that!

omg, i was wondering what that was. I installed Vista on my new 120GB HD today and got some updates. I kinda glanced over it to see if the patches from last week were included but i dind't really check - i vaguely remember seeing some updates marked "Today" but i didn't pay attention. Now that i put in my old HD with Vista still on it i just did a check and got 11 updates marked for Today (my machine automatically checked at 3:29am for some reason so it didn't pick them up)

That one WMP11 update is 8.5MB alone. (936782)

1. We know how many updates there are, how many your PC downloaded is almost completely irrelevant to EVERYONE, even you.
2. We know the size of the updates, this is by far the LEAST RELEVANT information you could provide about an update, it's size. But thank you for providing the size in megs AND bytes for us, that was very helpful and will help us to decide if we want to apply this security update.
3. It checked at 3:29 but didn't pick them up because they are released at noon, pacific time presumably. But my real comment is again : how does what time your computer installed the updates make any difference to anyone?

Why am I being such a dink to you? It's not so much you as the 1000 other people who also felt the need to tell us this crap.