Feeds

MS preps five critical fixes for busy Patch Tuesday

ATL clean-up

Security for virtualized datacentres

Microsoft is lining up nine updates - five critical - for the August edition of its regular Patch Tuesday update cycle.

Eight of the nine patches plug vulnerabilities in Windows while the final update fixes a critical flaw in Microsoft Office (as well as Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server).

Microsoft's pre-alert is light on details, as is the norm, but does explain that one of the critical Windows fixes will plug vulnerabilities in Outlook Express and Windows Media Player.

One of the critical flaws affects Microsoft's Client for Mac as well as Windows. All flavours of Windows - including servers and Vista - will need patching.

Last week Microsoft released an out-of-sequence patch that fixes a critical Internet Explorer flaw that was being actively exploited by hackers. At the same time Redmond also released a critical update for its Visual Studio development tools suite.

Both the two security problems stem from a fundamental flaw in Microsoft's ATL, or Active Template Library, which developers across the industry use to write application components (or more specifically Component Object Model code, including ActiveX controls). The flaw comes from a programming error involving an extra "&" character in a line of code. This, in turn, creates a buffer overflow risk for any applications that make use of the ATL code library.

Informed guesswork suggests that most of August's fixes will address flaws that can ultimately be traced back to the ATL snafu but were not as urgent as the MSVidCtl ActiveX control flaw that prompted an out of sequence IE patch last month.

The MSVidCtl ActiveX control flaw was been actively targeted by hackers and unpatched, the worst possible scenario. The only remaining zero-day vulnerabilities in this category is a flaw in Microsoft Office Web Components (OWC) which emerged a day after Microsoft's July Patch Tuesday update was published. Microsoft's pre-alert suggests that this flaw will be patched next week but this is by no means certain. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.