Microsoft will Issue a Critical Patch Next Week for Windows 7 IE8
Microsoft is expected to release a security patch to address a Critical vulnerability in IE8. For December, Microsoft is planning to release six new security bulletins that are expected different vulnerabilities in several Windows products. Some of the vulnerabilities are in Windows7, some in Internet Explorer 8, and some in Microsoft Office Products. On the office side the vulnerabilities affect Project, Word, and Worlks 8.5.
Microsoft Security Response Center
There is a range to the bulletins including three that are Critical and three that are considered Important. The Microsoft Security Bulletin Summary for December 2009 outlines these vulnerabilities:
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution
Cumulative Security Update for Internet Explore
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution
Proof of Concept for the security flaws was released to the public recently, which prompted Microsoft's response. In computer security the term proof of concept is often used as a synonym for a zero-day exploit which, mainly for its early creation, does not take full advantage of some vulnerability. The zero-day, the day of release, means that the item in question, in this case the software IE8 has a weakness that has not been fully exploited. But for Microsoft the weakness will be addressed in the patch upgrade.
According to a Microsoft Spokesman, Jerry Bryant, security program manager, †The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID's after release so we will be doing that in the blog post here on Tuesday.â€
Microsoft is expected to release a security patch to address a Critical vulnerability in IE8. For December, Microsoft is planning to release six new security bulletins that are expected different vulnerabilities in several Windows products. Some of the vulnerabilities are in Windows7, some in Internet Explorer 8, and some in Microsoft Office Products. On the office side the vulnerabilities affect Project, Word, and Worlks 8.5.
Microsoft Security Response Center
There is a range to the bulletins including three that are Critical and three that are considered Important. The Microsoft Security Bulletin Summary for December 2009 outlines these vulnerabilities:
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution
Cumulative Security Update for Internet Explore
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution
Proof of Concept for the security flaws was released to the public recently, which prompted Microsoft's response. In computer security the term proof of concept is often used as a synonym for a zero-day exploit which, mainly for its early creation, does not take full advantage of some vulnerability. The zero-day, the day of release, means that the item in question, in this case the software IE8 has a weakness that has not been fully exploited. But for Microsoft the weakness will be addressed in the patch upgrade.
According to a Microsoft Spokesman, Jerry Bryant, security program manager, †The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID's after release so we will be doing that in the blog post here on Tuesday.â€
