Microsoft readies 17 software patches for 64 holes

[err0r]

Get ready for Patch Tuesday, April 12: Microsoft is issuing 17 software fixes, nine of them considered "critical" to its Windows operating system, as well as to Internet Explorer and Microsoft Office.

 

Altogether, the patches will fix 64 security holes, or vulnerabilities, in a wide range of Microsoft's software, including Visual Studio, and .NET Framework. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

 

The 17 patches are the same number of fixes Microsoft released in December to address 40 different problems. The newest round ties with December's fixes for the most patches in a single bulletin, and as Ars Technica noted, "takes the clear lead for number of flaws fixed."

 

While Microsoft's Security Bulletin doesn't have "any specific details" about the patches, the company "said some of the fixes will address the Windows MHTML vulnerability and the Server Message Block Browser bug in Windows XP," according to Fahmida Y. Rashid of eWeek.com:

 

First reported last January (Security Advisory 2501696), the MHTML flaw allows attackers to run scripts in the wrong security context on Windows XP, Vista, Windows 7 and all supported Windows Server releases. An attacker could exploit the vulnerability to inject a client-side script in a Website the user is viewing in Internet Explorer. Once executed, the script could collect user information and spoof content. Attackers have exploited the vulnerability in "limited, targeted attacks" using the public proof-of-concept code, according to Microsoft.

 

The Server Message Block Browser bug in Windows XP, which could trigger a blue screen in kernel mode, was publicly disclosed on Feb. 15. French security firm Vupen rated the flaw as "Critical" and warned that the exploit could cause a denial-of-service attack or completely take over the compromised system.

 

Just about every Windows user needs to pay attention to this patch. Notes Rashid:

 

Affected operating systems include Windows XP, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 x64 Edition, Windows Vista (32-bit and 64-bit), Windows Server 2008 and Windows 7.

 

There are updates for Internet Explorer 6 through 8. Despite Microsoft's attempts to sunset IE6, it appears IE6 bugs in Windows XP and Windows Server 2003 have been addressed.

 

You can learn more about the Patch Tuesday at Microsoft's TechNet site. The company will also have a webcast "to address customer questions" at 11 a.m. PT Wednesday. You can register here for that, and it will also be available on-demand.

 

Source: Suzanne Choney

[Fanfare]

Talk about endless holes and more to dig in the future.