Tuesday, March 17, 2009

Three Security Bulletins for Patch Plan by Microsoft

Microsoft is prepping three security bulletins affecting Windows next week as part of Patch Tuesday. The most serious of the bulletins addresses a remote code execution situation. There is no word, however, on a patch for the Microsoft Office Excel zero-day Microsoft warned users about last month.

Microsoft plans to push out three security bulletins next week, the most serious of which is meant to squash at least one remote code execution bug in Windows.

All three bulletins deal with security bugs in Windows, with the other two addressing what Microsoft characterized as "spoofing" issues. The remote code execution bulletin is rated “critical,” and affects Windows 2000, XP, Vista and Windows Server 2003 and 2008.

This month's patch lineup does not include a fix for the zero-day vulnerability affecting Microsoft Office Excel that hackers have been targeting in recent weeks. Microsoft issued an advisory on the bug Feb. 24, warning the bug could allow a hacker to execute arbitrary code if a specially crafted Excel file attempts to access an invalid object.

So far, Microsoft has only reported seeing limited, targeted attacks leveraging the vulnerability. However, the company has publicized workarounds for users concerned about exploitation. For one, Microsoft advises customers to use MOICE opening files from unknown or untrusted sources. Users can also take advantage of Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted senders as well.

The spoofing issues addressed in the two bulletins slated for next week are rated “important.” One of those two bulletins covers Windows 2000, XP, Vista and Windows Server 2003 and 2008. The final bulletin, however, only impacts Windows 2000 and Windows Server 2003 and windows server 2008.

Source:

No comments: