Microsoft to issue 11 security patches on Tuesday

On Thursday, Microsoft announced four security bulletins for next week. The announcement is intended as a heads-up for IT departments before Patch Tuesday. Four fixes are considered critical, six important, and one is moderate as ranked by the software giant.

Starting this month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. And on Tuesday, Microsoft is expected to provide with each bulletin an "exploitability index" to help system administrators prioritize the patches.

Among the critical patches one each affects Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. All four could enable remote code execution if exploited.

Of the important patches, all six affect Windows, and could enable remote code execution or elevation of privilege if exploited.

The lone moderate patch affects Windows Office and could enable information disclosure if exploited.

[powowcow]

Windows Office? What's that? :P

[Curtis Baird]

On October 10, I received an e-mail in an e-mail account that as far as I know I've never used for correspondence with Microsoft (apparently timed to coincide with the Patch Tuesday announcement) that purports to be from Microsoft. It even came with an attached executable file - i.e. KB526314.exe - that I was told I needed to install. Here is the text of the message:

= = = = = = = = = = = = = =

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft Windows
98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft
Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance problems,
we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com
would have result in efficient creation of a malicious software, we made a decision
to issue an experimental private version of an update for all Microsoft Windows
OS users.

As your computer is set to receive notifications when new updates are available,
you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your
OS you have an indication to run all the updates at a background routine. In that
case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

HR0VQC8VQZMTM701OKLJPZR2NGMB45RAYXJS7A46GV5352WQGVV7DXRPXLF9SJ0VH
42L2NP6Q27SX5KN7A4YQJIXXFNX8IC82JFBTT7SUDC0W9R40BWFZZGT0KBRNJ8DLG
811W20YM6KN3NE0R057DL5LM7VJ69864OX4F0696QEOFIBAWCICKGV0KZ0N6QZKLW
W76CN3DMFDZBDFBD5H38BP672OOCRPLT7I2RZB0EKNHC49W2L4OVXERZDI604TX2M
MNMEI1M8MRHHKDPZDY752ISSCN36FXZ3UOE==
-----END PGP SIGNATURE-----

= = = = = = = = = = = = = =

I am pretty sure this e-mail is totally bogus as even the name of the attached file isn't even close to the numbers that Microsoft is using for its patches right now.

What do you think?

[Keithwalters]

Remember what was beaten into ours heads every day as youngsters
Don't talk to strangers
Don't take anything from strangers
Only accept information from those you know and trust

And, they probably didn't add this bit, but they would have, do not EVER run an exe file from unsolicited e-mail.
Go to the website, but don't take the candy from even the nicest seeming stranger.
Hope this helps :)