Microsoft to Spackle Holes in Windows, Messenger, Visual Studio

By Lisa Vaas  |  Posted 2007-09-07 Print this article Print

Microsoft will release fixes for holes that could lead to system hijacking in Windows, Messenger and Visual Studio.

Microsoft is planning to release five security bulletins on Septembers Patch Tuesday. While only one—a vulnerability in Windows—is deemed critical, three of the advisories address vulnerabilities that can lead to system takeover: the Windows flaw, flaws in MSN Messenger and Windows Live Messenger, and holes in Visual Studio. The IM client vulnerability in particular should be given priority, experts say.
"If the Windows Messenger vulnerability lends itself to a chat-based attack vector, then organizations and users of the ubiquitous Microsoft Messenger should pay attention, because this would be a prime candidate for spreading malware and viruses," said Paul Zimski, senior director of market and product strategy for PatchLink, in a statement.
In its September 2007 advanced security bulletin notification, Microsoft said it also plans to release updates for SharePoint as well as for Windows Services for Unix and the subsystem for Unix-based applications. Outside of the one critical Windows advisory, the other four updates are all deemed important. The eEye Zero-Day Tracker is currently listing three unpatched Microsoft vulnerabilities, but none of these are rated critical. Click here to read more about why Microsoft shut down the independent AutoPatcher online download service. While Sept. 11 may strike some as a Patch Lite Tuesday, experts warn that any vulnerability that could lead to remote code execution should be dealt with quickly. "Although this month may be a reprieve from this years heavy patch releases, any vulnerability that lends itself to remote code execution should prompt IT administrators to identify which parts of their network are affected and to apply those patches first," Zimski said. Indeed, he said, finding systems vulnerable to the threats at hand will be the toughest part of dealing with this months patch deployments. At any rate, whatever breathing room IT administrators get from having a less than onerous Patch Tuesday should be spent cleaning house, he said: updating network inventories, addressing backlogged vulnerabilities, classifying assets, prioritizing risk and measuring recent response times for patch implementation. As it does every month, Microsoft will also be releasing an update to the Microsoft Windows Malicious Software Removal Tool. The company also plans to release one high-priority, non-security update on Microsoft Update but none released on Windows Update. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel