Feeds

MS preps five critical fixes for busy Patch Tuesday

ATL clean-up

Internet Security Threat Report 2014

Microsoft is lining up nine updates - five critical - for the August edition of its regular Patch Tuesday update cycle.

Eight of the nine patches plug vulnerabilities in Windows while the final update fixes a critical flaw in Microsoft Office (as well as Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server).

Microsoft's pre-alert is light on details, as is the norm, but does explain that one of the critical Windows fixes will plug vulnerabilities in Outlook Express and Windows Media Player.

One of the critical flaws affects Microsoft's Client for Mac as well as Windows. All flavours of Windows - including servers and Vista - will need patching.

Last week Microsoft released an out-of-sequence patch that fixes a critical Internet Explorer flaw that was being actively exploited by hackers. At the same time Redmond also released a critical update for its Visual Studio development tools suite.

Both the two security problems stem from a fundamental flaw in Microsoft's ATL, or Active Template Library, which developers across the industry use to write application components (or more specifically Component Object Model code, including ActiveX controls). The flaw comes from a programming error involving an extra "&" character in a line of code. This, in turn, creates a buffer overflow risk for any applications that make use of the ATL code library.

Informed guesswork suggests that most of August's fixes will address flaws that can ultimately be traced back to the ATL snafu but were not as urgent as the MSVidCtl ActiveX control flaw that prompted an out of sequence IE patch last month.

The MSVidCtl ActiveX control flaw was been actively targeted by hackers and unpatched, the worst possible scenario. The only remaining zero-day vulnerabilities in this category is a flaw in Microsoft Office Web Components (OWC) which emerged a day after Microsoft's July Patch Tuesday update was published. Microsoft's pre-alert suggests that this flaw will be patched next week but this is by no means certain. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.