Patch Tuesday is a biggie this month

It's IT Blogwatch: in which Microsoft plops a gargantuan pile of patches into our laps. Not to mention the sad tale of the two-faced kitten...

Gregg Keizer reports:

Microsoft Corp. today released its largest security [update] in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE), Windows Messenger and other software.
...
At least two of the vulnerabilities have already been exploited in the wild ... Those two, plus another pair ... should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today.
...
Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word ... [Both] have been exploited by attackers, making them especially important to patch. more

John Fontana adds:

Microsoft Tuesday issued six critical patches, one [fewer] than expected, covering Windows, Office, Internet Explorer and Windows Media Player. Five other patches rated as important were delivered as part of Microsoft's monthly Patch Tuesday release.
...
The planned seventh critical patch, which Microsoft announced last week, was held back ... it is likely to find its way into the September release unless the vulnerability begins to be actively exploited.
...
The list of critical patches had so far been light this summer. There were three in June and none in July. Microsoft has issued a total of 51 patches so far this year. more

Stephen Withers is also searching for the missing patch:

Microsoft issued 11 bulletins, but 12 were expected ... Before we get into all the detail of what was patched and why, here's what wasn't: a critical flaw in Windows Media Player.

There's no indication from Microsoft's Security Response Center (MSRC) about when that update will be issued, but if it really is as critical as its rating suggests, there's a possibility of its release before September's Patch Tuesday. MSRC release manager Tami Gallupe gave no clues as to the nature of the underlying problem or progress on the fix, referring only to "a last minute quality issue". more

As ever, Stephen Hall helps us prioritize:

MS08-045 ... Cumulative Security Update for Internet Explorer ... KB 953838 ... Publically disclosed vulnerability but no known exploits ... PATCH NOW! more

Brian Krebs sets the wayback machine:

At least 17 of those flaws earned Microsoft's "critical" rating, meaning they could be exploited to break into vulnerable systems with little or no help from the victim. The 26 vulnerabilities are the most Microsoft has addressed since it had 25 in August of 2006, which also included 17 rated as critical.
...
Half of the flaws fixed in today's release were found in Microsoft Office and component programs, such as Excel, PowerPoint and Word. Redmond also released patches for vulnerabilities in Windows Messenger, Outlook Express and Windows Mail.

The updates are available through Microsoft Update or Automatic Updates. Office 2000 users can get Windows patches through either of those options, but will need to make a special trip to the Office Update page to grab the Office patches. more

Robert Lemos expands:

Many other vulnerabilities affected components of Microsoft's popular Office software ... as announced at the Black Hat Security Briefings, Microsoft will soon allow security companies to have some information about the vulnerabilities being patched each month, so the firms can provide their clients with additional protection on patch day. more

Microsoft's Damian Hasse has this insight:

MS08-050 concerns an ActiveX control that can be maliciously scripted to leak out personal information such as email addresses. There appeared to be no need for the control to have this behaviour so giving it a Kill-Bit seemed the correct approach to take. During the extensive testing that each security update undergoes, however, it became apparent that the Kill-Bit wasn’t ideal as it partially broke the Remote Assistance application.

So how do we kill off a control, keep the Remote Assistance functionality and still protect our customers? ... The control was modified so that when it initializes it first checks to see what process it’s running within. If the process attempting to invoke the control is Remote Assistance (1) or if the caller is in a white list of applications found in the registry (2), then the control is permitted to be loaded. Otherwise it will not load ... We issue a Phoenix-Bit (AlternateCLSID) so that Remote Assistance can continue to use the old ClassID. more

And finally...

• The sad tale of Zaphod Kittehbrox

Buffer overflow:

• Laurianne McLaughlin: Iowa -- The Cloud Computing State
• Alexander Wolfe: Why Intel's Nehalem Is Important
• Joe McKendrick: When the going gets tough, will the tough go to Web 2.0?
• Techdirt: Is The iPhone App Kill Switch Really Such A Surprise?
• Jaiyant Cavale : New Three Dimensional Integrated Chip Technology Developed

Other Computerworld bloggers:

• Seth Weintraub: SSD drive finally coming to MacBook/MacBook Pros?
• SJVN: The biggest Blue Screen of Death ever
• Preston Gralla: Old Windows hand: Wubi installer needs some help
• Robert L. Mitchell: What killed InfiniBand
• Site-of-the-Day: Buzzword
• John Brandon: My life in the cloud: a good thing?
• Mark Hall: LivePower reduces data center electric bills
• Shark Tank: Just one more thing to worry about
• Shark Bait: Hardware Infestation

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Clouds over Gmail, MobileMe
• Vegas ballooner seeks open WAPs for phun
• iPhone's so-called bad-app kill-switch: teacup-storm?