Patch Tuesday: Microsoft Fixes Only Four Bugs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Patch Tuesday: Microsoft Fixes Only Four Bugs

In a small batch of patches, especially after last month's mega batch, Microsoft fixes vulnerabilities in Microsoft Agent, Visual Studio, and MSN Messenger.

IT and security managers who have been gearing up for the long hours of work that generally come with Microsoft's monthly Patch Tuesday can relax a little.

It's going to be a relatively easy time this month. And that's a big swing from last month's mega patch release, which included nine security bulletins covering 14 vulnerabilities.

September's patch release only includes four security bulletins. Last week, Microsoft had announced that there would be five bulletins, but one was pulled before the official release.

"It's a pretty light month, really," said Tom Cross, a security researcher with IBM's Internet Security Systems X-Force, in an interview. "We're not highlighting any for our customers."

The batch of bulletins includes one critical and three that are rated important, the company's second-highest security rating. The critical bug involves a remote code execution vulnerability in the way the Microsoft Agent handles certain specially crafted URLs, according to the Microsoft advisory. The bug affects Microsoft Windows 2000 Service Pack 4. Microsoft noted that users whose accounts are configured to have fewer user rights on the system would be less affected than those with more administrative rights.

Symantec Security Response is warning users that researchers there considered the remote code execution vulnerability in Microsoft Agent ActiveX to be critical since ActiveX controls run on a "significant number" of systems. "Symantec has observed a significant increase in ActiveX vulnerabilities this year," said Ben Greenbaum, senior research manager at Symantec, in a statement. "Attackers are targeting trusted Web brands, such as social networking sites, and then waiting for their victims to come to them so they can exploit the vulnerability and gain access to the individual's computer."

One of the bulletins rated important addresses a vulnerability in Visual Studio that could allow an attacker to remotely execute code. Cross noted that this bug has been public since this past January when a proof-of-concept exploit for it was floated on the Internet. The exploit, though, didn't bring many attacks.

"It's just not a widely distributed application that people looking to launch attacks are exploiting," said Cross. "Programmers are a sophisticated group and less likely to fall for tricks and click-on-this-link tricks."

Another bulletin rated important deals with a publicly disclosed vulnerability in Windows Services for Unix 3.0, which could allow an attacker to gain elevation of privilege. The fourth bulletin, also rated important, handles a publicly disclosed vulnerability in MSN Messenger and Windows Live Messenger, which could allow an attacker to take complete control of the affected system.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll