To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39170037,00.htm

Microsoft's 'patch Tuesday' releases six 'critical' plasters
Attackers go for apps, not "the throat"

By Tom Espiner

Published: Thursday 14 February 2008

Microsoft has released 11 security patches, six of which are "critical" and five of which are "important", according to the software giant.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

This month's "Patch Tuesday" did not include a patch that had been promised in Microsoft's advance notification for February 2008. Microsoft could not be reached for comment at the time of writing to say why the patch had not been included.

Most of the critical vulnerabilities addressed in this month's patches affect Office, while one affects Internet Explorer, according to Microsoft's security bulletin summary. One of the critical vulnerabilities, as reported in Microsoft Security Bulletin MS08-008, affects both Microsoft Office 2004 for Mac and Microsoft Visual Basic 6.0 Service Pack 6.

The five "important" patches affect Microsoft Internet Information Services, Windows and Office. All the Windows Vista-related updates will be included with Windows Vista SP1, expected to roll out to consumers in mid to late March.

Tim Rains, security response communications lead for Microsoft, told silicon.com sister site CNET News.com: "Windows Vista SP1 and Windows Server 2008 are not affected by any of today's bulletins." Neither of which are available to the public yet.

Microsoft security patches for the vulnerabilities are available via Microsoft Windows Update or Microsoft's February security bulletin summary.

Security vendor Symantec warned that exploits for the vulnerabilities would not require much user interaction to execute.

Ben Greenbaum, senior research manager at Symantec Security Response, said: "While the batch of critical vulnerabilities all require some sort of user interaction to exploit, the interaction can be as simple as visiting a trusted website that has first been exploited by an attacker."

Security-management company Lumension advised IT administrators to concentrate on patching the vulnerabilities in Office and Internet Explorer first. Alan Bentley, Lumension's European vice president, said: "Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, placing pressure on businesses to address the Office and Internet Explorer vulnerabilities."