Patch Tuesday: Critical flaws in Windows, Office

[nsane.forums]

Microsoft has announced plans to ship three security bulletins this month to cover at least four serious vulnerabilities in all supported versions of the Windows operating system. According to an advance notice from Redmond, one of the bulletins will be rated "critical" while the rest will carry an "important" rating. All three bulletins cover issues that could lead to remote code execution attacks, Microsoft said.

Affected software includes the Windows OS, Microsoft Office and Microsoft Groove 2007.

It is not yet clear if this Patch Tuesday batch of updates will include fixes for the recent Windows BROWSER protocol vulnerability that was publicly discussed in February.

Microsoft last week quietly shipped an update to fix a security flaw in the in the Microsoft Malware Protection Engine. This engine powers Microsoft's range of anti-malware and security products (Forefront, Live OneCare, Security Essentials, etc.)

From an advisory issued last week:

Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.

Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the company said the the update was installed along with the updated malware definitions for the affected products.

View: Original Article

[DKT27]

Patch Tuesday: March 2011 edition

Microsoft has issued an advanced security notification for the month of March 2011. Patch Tuesday, as nicknamed by Microsoft, where the company releases the latest security patches for Windows, Office, Internet Explorer and other Microsoft branded software on the second Tuesday of every month.

This month is a light one, bringing only three bulletins, one which is labeled Critical, Microsoft's highest security rating, and the other two labeled as Important. All three patches will fix remote code execution flaws in both the Microsoft Windows operating system and in Microsoft Office.

There hasn't been any mention if a patch will be released for the MHTML vulnerability found on all supported versions of Windows. The vulnerability exists by the way MHTML interprets MIME-formatted requests, allowing an attacker to run an unauthorized script. We'll have to wait till March 8 for the patches to be released to determine if the MHTML vulnerability has been patched.

The patches will fix vulnerabilities in the following software:

• Windows XP SP3
• Windows Vista SP1 & SP2
• Windows 7
• Windows Server 2003 SP2
• Windows Server 2008 R2
• Microsoft Office Groove 2007

Some of these updates will require a restart. Affected software includes both 32-bit and 64-bit, where applicable.

View: Original Article