One 'important' Windows security patch coming

Microsoft's plans to release one "important" security update for Windows Tuesday leaves a number of other flaws unpatched for at least another month.

One "important" security update for Windows will be released next week, Microsoft said Thursday. That means it'll be at least another month before the software giant patches several much-publicized flaws in its popular browser, e-mail and database programs.

IT administrators will find out Tuesday how many security holes are addressed in the update and where they are. For now, all Microsoft says on its TechNet site is that it plans one security bulletin for Windows.

"The greatest aggregate, maximum severity rating for these security updates is Important," the company said. "This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer (MBSA)."

Last month, Microsoft issued patches to close 18 security holes in Internet Explorer, Windows, MSN Messenger, Exchange and Office. But those updates didn't address vulnerabilities that came to light in the days and weeks before.

One of those vulnerabilities, discovered by the security research organization HexView, is in Microsoft's Jet Database Engine. Attackers could use a memory handling error in the program to launch malicious code. Danish security firm Secunia said the flaw is "highly critical" because exploit code has been posted to a public mailing list. Secunia confirmed the vulnerability on a fully patched system with Microsoft Access 2003 and Windows XP SP1/SP2.

Also unaddressed are two vulnerabilities in Internet Explorer and Outlook brought to light by Aliso Viejo, Calif.-based eEye Digital Security in early April. The first "allows malicious code to be executed, contingent upon minimal user interaction," eEye said, adding that the problem affects Internet Explorer, Outlook and "additional miscellaneous titles." The second vulnerability has the same damage potential and also affects IE and Outlook.

Since these flaws are considered high-risk, it would seem unlikely that any will be addressed in a security update labeled "important." But as the software giant says each month in its advance notification message, "The number of bulletins, products affected, restart information and severities are subject to change until released."

Microsoft also announced Thursday that it will release an updated version of its Malicious Software Removal Tool on Windows Update and the Download Center. The tool will not be distributed using Software Update Services (SUS), the company said.

The TechNet site also noted that Microsoft won't be releasing any non-security high-priority updates for Windows on the Windows Update site.

This article originally appeared on SearchSecurity.com.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close