Microsoft Fixes Record Number Of Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Operating Systems
04:32 PM
Connect Directly

Microsoft Fixes Record Number Of Vulnerabilities

The company's June Patch Day included 10 security bulletins to fix 31 threats in Microsoft products.

Microsoft on Tuesday released a substantial set of software patches, addressing 31 vulnerabilities with 10 security bulletins.

That's the largest number of vulnerabilities fixed in a single day since the company began issuing regular patches on the second Tuesday of every month in October 2003.

The company's June Patch Day includes six bulletins designated "critical," three "important," and one "moderate."

Affected software includes: Active Directory on Microsoft Windows 2000 Server and Windows Server 2003; Active Directory Application Mode when installed on Windows XP Professional and Windows Server 2003; Windows Print Spooler; Internet Explorer; Microsoft Office Word; Microsoft Office Excel; Microsoft Works Converters; Windows remote procedure call; Windows kernel; Microsoft Internet Information Services; and Windows Search.

Not included is a patch for a known vulnerability in Microsoft DirectX's DirectShow that can be exploited through a maliciously crafted QuickTime file. In late May, Microsoft issued a security advisory stating that the DirectShow-QuickTime vulnerability could be used "as a browse-and-get-owned attack vector."

However, Microsoft has provided a clickable button on its support site that will disable QuickTime parsing and protect systems vulnerable to this flaw.

A fix for the IIS WebDAV flaw that Microsoft warned about in mid-May is included.

Four of the 10 bulletins in the June patch cycle address publicly disclosed vulnerabilities.

Tas Giakouminakis, CTO of Rapid7, observed in an e-mailed statement that attackers are taking advantage of vulnerabilities faster than ever before. "We've seen the patch window for Microsoft vulnerabilities shrink to the point where vulnerabilities are being exploited on the day the patches are released or even prior to that," he said.

Bulletin MS09-019 includes a fix for the vulnerability exploited by a hacker "Nils" at the 2009 CanSecWest Pwn2Own competition. "Nils" exploited this vulnerability on an earlier IE8 build, so Microsoft doesn't expect to see this vulnerability exploited in the wild against users of Vista or Windows 7.

Andrew Storms, director of security operations for nCircle, said in an e-mailed statement, "Client-side, browser-based vulnerabilities continue to top the charts for threats, so every user should put [MS09-019] at the top of their 'install immediately' list."

InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll