Patch Tuesday: 64 vulnerabilities, 17 bulletins

[nsane.forums]

Microsoft is planning a monster Patch Tuesday next week: 17 bulletins with fixes for 64 documented vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI+. According to Microsoft's advance notice, 9 of the 17 bulletins will be rated "critical," the company's highest severity rating.

This month's batch of patches, due at 1:00 pm Eastern on Tuesday April 12, will include an Internet Explorer browser update that fixes a pair of publicly known security problems:

This month we'll be closing some issues that Microsoft has already previously spoken to, including the SMB Browser (Critical) issue publicly disclosed Feb. 15. Microsoft assessed the situation and reported that although the vulnerability could theoretically allow Remote Code Execution, that was extremely unlikely. To this day, we have seen no evidence of attacks.

We are also planning a fix for the MHTML vulnerability in Windows, rated Important. We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January. In March, we updated the advisory to let people know we were aware of limited, targeted attacks.

There is no word on whether this IE update will include a fix for the multiple bugs used in the winning CanSecWest Pwn2Own exploit.

All versions of Windows are affected by this batch of updates, including the newest Windows 7.

View: Original Article

[DKT27]

Microsoft prepping mammoth Patch Tuesday

Microsoft will release 17 bulletins next week to fix 64 vulnerabilities across a swath of products including Windows, Office, and Internet Explorer, the company said in its Patch Tuesday preview.

Of the bulletins, nine are rated "critical" and eight are "important," the company said in a TechNet blog post today.

In addition to all versions of Windows; IE6, IE7, and IE8; numerous versions of Office for Windows and the Mac, affected software includes Visual Studio .NET and Visual C++, according to the advisory.

"This month we'll be closing some issues that Microsoft has already previously spoken to, including the SMB Browser (Critical) issue publicly disclosed Feb. 15. Microsoft assessed the situation and reported that although the vulnerability could theoretically allow Remote Code Execution, that was extremely unlikely. To this day, we have seen no evidence of attacks," the company said in its blog post.

"We are also planning a fix for the MHTML vulnerability in Windows, rated Important," the post said. "We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January. In March, we updated the advisory to let people know we were aware of limited, targeted attacks."

The release represents a large number of bulletins and vulnerabilities addressed at one time for Microsoft. The company issued 17 bulletins in December and plugged a record 49 holes in October.

"Microsoft is planning to release 17 bulletins and a whopping 64 CVEs (Common Vulnerabilities and Exposures) this month, a new CVE record," said Andrew Storms, director of security for nCircle. "That seems like a huge number of bugs but it's actually about what we expected. Ever since the middle of last year Microsoft's bulletin releases generally hit double digits every other month."

View: Original Article