Microsoft pushed out eight updates on Tuesday, the company's regular patch day, to fix more than a score of vulnerabilities, including critical issues in Internet Explorer, Office, DirectX and the Windows HTTP server.
The software updates fixed a total of 21 vulnerabilities, 11 of which were rated Critical by Microsoft — the software giant's highest rating of severity. For example, a Critical flaw in Microsoft's multimedia platform for Windows, DirectX, could allow a maliciously-created movie to run attack code on a victim's computer. Vulnerabilities in Excel and the Office text converters could allow attackers to run malicious code using an Office file, although the issues were only considered Critical for Office 2000.
Because people still trust documents and movies, those types of vulnerabilities are the most serious, Holly Stewart, threat response manager for IBM's Internet Security Systems X-Force group, said in a brief analysis of the updates.
"Document and multimedia vulnerabilities represent two of the fastest-growing categories of vulnerabilities affecting personal computers," Stewart stated. "They are prime exploitation targets for the criminal underground, because they are typically easy to exploit through spam or through links to malicious Web sites where the documents are hosted."
IBM found that document-related vulnerabilities rocketed more than 150 percent between 2007 and 2008, while security issues in multimedia formats jumped more than 125 percent. In the last quarter of 2008, IBM found that more than 1 in 7 malicious links were related to malicious movies, while 1 in 10 were related to malicious documents.The updates also fixed issues that were described in security advisories issued by Microsoft nearly a year ago. In a blog post, Microsoft's Security Response Center tackled the most obvious question: Why did it take so long to issue patches?
"When we here at Microsoft are asked this question: our answer is 'we want to get this right,'" the MSRC stated. "Or to put it another way, we are constantly asking ourselves during any given release cycle 'are we doing the right thing for our customers?' ... I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos