Microsoft Slates Windows Patches, Fixes
Plans include patches for Bluetooth, IE, DirectX and Active Directory.
Thu, June 05, 2008
Computerworld — Microsoft Corp. today set its June patch list, saying it would issue seven security updates, three of them "critical," to patch Windows components such as Bluetooth, DirectX and Internet Explorer (IE).
It also looks like Microsoft will disable a vulnerable third-party program, said Andrew Storms, director of security operations at nCircle Network Security Inc.
"Maybe this is a new trend by Microsoft, issuing kill bit updates to mitigate risks," said Storms, referring to one of the seven updates. "Kill bit" is the term Microsoft coins to describe setting a flag in the Windows registry that disables a specific ActiveX control; the company regularly advises users to set the kill bit in lieu of a formal patch for a control that contains a bug.
In April, Microsoft issued a kill bit update for an ActiveX control distributed by Yahoo Inc. for its Yahoo Music Jukebox. At the time, Microsoft said it would lock down other vendors' software at their request by releasing fixes through Windows Update.
"If Microsoft was patching one of its own ActiveX controls, I would think it would say it's fixing something in 'ActiveX,' but because it's labeled this as 'kill bit,' it leads me to think that it involves a third party," said Storms.
Overall, he continued, the seven-update list is "one of the most diverse and interesting in a long time. It runs the gamut as far as the distribution of where they are in the operating system and software. The only thing we're missing is [a vulnerability for] Excel or Outlook, and we'd have one for everything that Microsoft makes."
Microsoft rated three of the seven updates "critical," its highest threat ranking, while three are tagged "important," one step lower, and the seventh -- the kill bit update -- was marked as "moderate."
The critical updates will patch Bluetooth, DirectX and IE in Windows, according to the prepatch notification Microsoft issued Thursday,
It's unlikely, however, that the IE update will address the vulnerability that Microsoft warned users about last week, said Storms. "It could," he offered, "but I don't think it would have something this quick." That bug, when combined with a flaw in Apple Inc.'s Safari Web browser, leaves users open to attack, Microsoft said in a security advisory issued last Friday.
The patch will fix IE6 and IE7 running in all supported editions of Windows, including Windows 2000, XP, Server 2003, Vista and Server 2008. Microsoft has pegged the IE fixes in the client operating systems as critical, but only as moderate on the server side.
Storms also called out the Bluetooth update as noteworthy. "A lot of people will be looking at this one," he said. "Does the vulnerability carry over into the mobile side, or is it only around the desktop?" Bluetooth vulnerabilities, Storms added, are rare and often resemble the "man-in-the-middle" bugs that are sometimes exploited in 802.11-based wireless scenarios.
Two updates -- one for Windows Internet Name Service and the other for Active Directory -- affect only server software. Although Microsoft rated both as important, Storms said enterprises may think differently. "Active Directory is such a critical core component. Large enterprises will certainly need to roll out these two, and it will take them some time, because of the testing they'll need to do."
The seven security updates will be posted Tuesday, June 10, around 1 p.m. EDT.
