Microsoft to Spackle Holes in Windows, Messenger, Visual Studio

Microsoft will release fixes for holes that could lead to system hijacking in Windows, Messenger and Visual Studio.

Microsoft is planning to release five security bulletins on Septembers Patch Tuesday.

While only one—a vulnerability in Windows—is deemed critical, three of the advisories address vulnerabilities that can lead to system takeover: the Windows flaw, flaws in MSN Messenger and Windows Live Messenger, and holes in Visual Studio.

The IM client vulnerability in particular should be given priority, experts say.

"If the Windows Messenger vulnerability lends itself to a chat-based attack vector, then organizations and users of the ubiquitous Microsoft Messenger should pay attention, because this would be a prime candidate for spreading malware and viruses," said Paul Zimski, senior director of market and product strategy for PatchLink, in a statement.

In its September 2007 advanced security bulletin notification, Microsoft said it also plans to release updates for SharePoint as well as for Windows Services for Unix and the subsystem for Unix-based applications. Outside of the one critical Windows advisory, the other four updates are all deemed important.

The eEye Zero-Day Tracker is currently listing three unpatched Microsoft vulnerabilities, but none of these are rated critical.


Click here to read more about why Microsoft shut down the independent AutoPatcher online download service.

While Sept. 11 may strike some as a Patch Lite Tuesday, experts warn that any vulnerability that could lead to remote code execution should be dealt with quickly.

"Although this month may be a reprieve from this years heavy patch releases, any vulnerability that lends itself to remote code execution should prompt IT administrators to identify which parts of their network are affected and to apply those patches first," Zimski said.

Indeed, he said, finding systems vulnerable to the threats at hand will be the toughest part of dealing with this months patch deployments.

At any rate, whatever breathing room IT administrators get from having a less than onerous Patch Tuesday should be spent cleaning house, he said: updating network inventories, addressing backlogged vulnerabilities, classifying assets, prioritizing risk and measuring recent response times for patch implementation.

As it does every month, Microsoft will also be releasing an update to the Microsoft Windows Malicious Software Removal Tool. The company also plans to release one high-priority, non-security update on Microsoft Update but none released on Windows Update.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.