Microsoft’s August Patch Tuesday security update was a whopper. The software maker released 11 fixes for 26 vulnerabilities, six of which are critical. The remainder were classified as important.
The batch of patches was the largest security update from the software company in two years.
While 26 vulnerabilities may seem like a large number, it is not atypical, said Richard Wang, U.S. manager at SophosLabs.
“It is higher than the last couple of months but by no means unprecedented. February this year also saw six critical and five important updates,” he told TechNewsWorld.
So Many Vulnerabilities, So Little Time
Microsoft is just skimming the surface of hundreds of bugs, according to Chris Rodriguez, a Frost & Sullivan analyst.
“There are 500-plus vulnerabilities reported every month. Not all of these are Windows-related, of course. Many of these are related to less prevalent systems, but Microsoft products still account for a large number of these vulnerabilities,” he told TechNewsWorld.
“Only critical and important vulnerabilities were addressed [in this update]. I am sure there were less severe vulnerabilities reported or found, but it seems that Microsoft has had to focus on only the most severe — triage style. It is important to patch these first; however, I should point out that most attacks are based on a combination of less dangerous vulnerabilities,” Rodriguez continued.
The Patchwork
The six critical plugs deal with vulnerabilities that hackers can exploit remotely. They were found in Excel, Internet Explorer, Microsoft Office Access, Microsoft Office, Outlook Express, PowerPoint, Windows Messenger and the Windows operating system.
“Critical patches address issues that can lead to malicious code being run directly on the victim’s computer, the most serious form of attack,” Wang explained.
Anyone using Microsoft Word or Internet Explorer could become a victim in these attacks if they browse to a compromised Web site or receive a specially modified document in their e-mail, he noted.
In fact, two of the fixes, one critical and one rated important, address vulnerabilities that have already been exploited by cyber criminals. Exploits for the Word and Access Snapsoht Viewer bug have already been seen in the wild, said Wang.
Microsoft reported in July that it had received reports of targeted attacks taking advantage of a flaw in the ActiveX control for the Access Snapshot Viewer. The critical issue affects the 2000, 2002 and 2003 versions of Access and could allow an attacker to gain the same user rights as the logged-on user, according to Microsoft.
Another critical fix concerns a flaw in Internet Explorer versions 5.01, 6 and 7. This vulnerability accesses uninitialized memory, allowing a remote attacker to cause a denial of service crash and execute arbitrary code using unknown vectors such as “HTML Object Memory Corruption Vulnerability,” according to the National Vulnerability Database.
Although average users are at greater risk, as they are more likely to have an unprotected PC, businesses will need to patch their systems as well.
“Enterprises should apply the patches as soon as possible, particularly the Internet Explorer patch, because it addresses a vulnerability that has been publicly disclosed and affects the software that is most likely to encounter malicious attacks. Internet browsing is by far the most effective, common way in which the average use will encounter malicious code,” Wang concluded.