Office, Windows get critical patches

Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.

The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.

Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.

More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.

As is its practice, Microsoft said last week that the patches were coming.

Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.

"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."

Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.

In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.

"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."

Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.

"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."

[rmva]

They sure do sell an awful lot of products.

[BogusBasin]

They sure do sell a lot of awful products.<br /><br />Amen

[dhavleak]

"Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."<br /><br />Yellow journalism at it's finest. Not worth mentioning that you can apply all seven and restart just once?<br /><br />1) MS has a predictable patching schedule (second tuesday of each month)<br />2) MS announced (as they usually do) that the patches were coming<br />3) MS delivered the patches as expected<br /><br />The only thing MS can do to be less 'disruptive' is to not release the patches, be silent about the flaws, etc. And we know how disruptive that will turn out to be in the long run. Before anybody replies saying that they should just release a secure product instead -- just apply this test first -- show me some software that has never needed to be patched, and I'll show you a software maker that has a right to complain about this. Also remember that patch tuesday isn't just about windows updates -- the updates are for just about every MS software on your machine.<br /><br />Seriously -- the entire windows using world knows about patch tuesday. I'm typing this on a linux machine right now -- but when I switch to one of my windows machines I'll know about it. I seriously cannot understand the need to write an article about patch tuesday every single freaking month. Beyond feeding the trolls, I just do not understand what this accomplishes.

[lazycat202]

@rmva &#38; dhva:<br />they do sell a lot of awful products. But more than 95% of computer users are using their products. You think those users are awful too? No brain at all?<br />I think it's better to address the issues than keep your mouth shut and let your customers suffer the consequences.

[dhavleak]

Ok.. I didn't think of these monthly 'blogs' about windows updates as being 'customer advisories', but I can certainly see the point there. OTOH -- that's exactly what MS's security bulliten advanced notification is for: <br />http://www.microsoft.com/technet/security/Bulletin/advance.mspx <br /> <br />My point was -- when in the system tray, you see a windows update icon telling you it's time to update, well, it's time to update. You don't need to follow a blog to do that. The blog, as far as I can tell, merely serves as fodder for flamewars by posting this stuff every month. <br /> <br />Note how I am ignoring the silliness about "lot of awful products" / "awful lot of products" etc. My intention isn't to troll -- it's to prevent trolling. Keeping customers in the dark is definitely not what I'm suggesting. MS could have achieved that by not releasing these critical updates. It's quite the reverse -- they're as transparent as they could possibly be about this process.

[lazycat202]

MS blog is for users who want deep down information. When I experience an issue, I go there and search for the answer. By the way, MS blog isn't for everyone and lot of people don't really care what on it. But still, I need it ;)

[Seaspray0]

@bogusbasin. people wouldn't use them if they were awful. If you can't control your trolling, you'll end up inviting others to do just the same the products you use.

[Seaspray0]

@bogus basin. Maybe everyone should rapay you in kind by trolling every article concerning apple patches with "apple sells alot of awful products." <br /> <br />AMEN.

[The_happy_switcher]

From Monty Python and Holy Grail:<br /><br />King of Swamp Castle: "When I first came here, this was all swamp. Everyone said I was daft to build a castle on a swamp, but I built in all the same, just to show them. It sank into the swamp. So I built a second one. That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up. And that's what you're going to get, Lad, the strongest castle in all of England." <br /><br />Kind of reminds me of the Windows development cycle, only the castles keep sinking.

[Vegaman_Dan]

@The_Happy_Switcher: <br /> <br />You seem to ignore the fact that OS X and Linux have released OS updates as well. Perhaps the ground on which you have built your Apple shrine is a bit... swampy?

[Seaspray0]

Have you ever noticed that happy switcher and bogus basin do nothing more than troll microsoft articles and write the same "microsoft is bad" posts?

[santuccie]

@Seaspray0:<br /><br />I have. And they're not the only ones. There are a few dozen snarling, yapping Chihuahuas around here, trying to bluff the St. Bernard. Did you know it's entirely because of marketing that Windows dominates all other platforms 9 to 1 (positively no relation to quality of product)? Did you know that Microsoft is to blame, and inexcusably so, for failing to implement anti-drive-by-download mitigations in XP; despite the fact that Mac OS is almost as vulnerable, and despite the fact that no one knew what a drive-by download was in 2001 because they didn't exist yet? Did you know that running a Unix-based kernel as a non-superuser makes you invincible against drive-by malware; despite demonstrations, unanimous security researcher criticisms of OS X's inferior security, and the fact that Vista has yet to be successfully infiltrated ItW in three years, even though it shares much of XP's code? Yup; Apple's own Web site says so, and they wouldn't lie!<br /><br />Did you know that Unix-based platforms are MORE stable than Windows; even though your panel icons in a fresh installation of any Linux distro will be scrambled after rebooting to finish installing updates; even though Windows is the only one that won't crash a USB mouse or flashdrive running portable apps after 3 days; and even though Windows is the only one that doesn't require you to unplug all peripherals, close all applications, and log off all users just to keep it from waking up from standby? Did you know that it's all because of the registry and the overall chaos of Microsoft's "knotted spaghetti code" (NOT because of antimalware or poorly-written, third-party apps and drivers) that Windows crashes; even though all three of my Windows machines will run flawlessly for weeks, when I've installed more than just a few programs (the desktop unit I'm presently in front of has over 150 applications, at least 50 of which are non-portable); and even though Windows problems can be reproduced, and the answer found in a forum just by searching Google; while other platforms can freeze, or have a kernel panic or gray screen completely at random, and you may not ever get your answer half the time)?<br /><br />Did you know the rumors about Macs being more expensive than PCs are untrue, and that a Mac would in fact be cheaper than a PC with all the same specs?<br /><br />http://www.shareapic.net/content.php?id=18771907&#38;owner=santuccie<br />http://www.shareapic.net/content.php?id=18771908&#38;owner=santuccie<br />http://www.shareapic.net/content.php?id=18771909&#38;owner=santuccie<br /><br />(Both systems have a 17" screen @ 1920x1200, a C2D 2.8 GHz processor, 8 GB DDR3 1066, a 500 GB HDD @ 7,200 RPMs, a slot-loading DVD burner, the Pro version of the latest MS Office suite, and a 3-year full service warranty. Some extras you get with the Alienware include a superior GPU and 5 years free online backup.)<br /><br />So, did you know? Yah; neither did I.

[Seaspray0]

@santuccie. Find me a mac that matches the specs of a base model Dell Studio 15, and I'll listen (that's the laptop I just puchased recently).

[santuccie]

@Seaspray0:<br /><br />I doubt I can. Just so we're clear, I was being sarcastic. It's no myth that Macs cost considerably more than PCs with equivalent specifications. Between the two machines illustrated in the pictures, the Alienware has more features, plus a way better graphics chip (it was the lowest available; I couldn't downgrade it to match the MBP's GeForce 9600/9400 hybrid)... and it's still over $300 LESS than the Mac! I don't know what kind of battery life you'll get with the Alienware, but it probably doesn't match the 6-7 hours you'll get with a Mac. Yet you can add a 9-cell battery and still be paying $150 less.<br /><br />So, you got a Studio 15? How do you like it? I just won a $1,000 Best Buy gift card from MyCokeRewards, and will be purchasing another laptop with it. I'm not a gamer, so I don't need top-of-the-line graphics, but I need something on which I can play a PPT slideshow, and simultaneously record the screen at no less than 30 FPS. I'm looking at a Studio XPS 16: http://www.bestbuy.com/site/olspage.jsp?skuId=9353399&#38;type=product&#38;id=1218090334197<br /><br />Some people talk about this unit getting a little hot, but that tends to happen with a rig packing this much power. At least no one complains of it burning a hole in your pants like some models. It doesn't have the kind of battery life that a Mac would, but I always dim the display a bit, and intend to upgrade the battery and RAM, turn off the page file, and replace the hard drive when Intel's 128 GB X25-E comes out. That'll bump it up a good few hours. :)

[monkeyfun14]

"Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."<br /><br />Disruptive? Dramatic much? How much productivity are you losing with a minute of downtime? Surely not as much as an employee sitting around on addictinggames for 30 minutes.

[BogusBasin]

All hail the great MS Defender! Keep up the good work monkey. How's the weather in Redmond today?<br /><br />Amen

[kojacked]

BB: Did you forget to take your pills again?

[BogusBasin]

Is it that noticeable? I may be crazy, but I am sure having a good time! Whoo hoooo! Die Microsoft Die!<br /><br />Amen

[Vegaman_Dan]

@BogusBasin: <br /> <br />According to Weather.com, the temperatures are supposed to be in the mid 60's today in Redmond. <br /> <br />What does that have to do with Operating System updates? Should we also note the weather in Cupertino as well?

[Random_Walk]

"How much productivity are you losing with a minute of downtime?"<br /><br />Wanna guess at how long it takes to reboot a Windows server?

[lazycat202]

@Random_walk:<br />Normal boot: 2 mins<br />updated-boot: around 5-6 mins.<br /><br />compare with Apple fans, Microsoft/linux IT guys/girls are not stupid. LOL They'll update their systems around midnight so it won't disrupt anyone.<br /><br />Got any other questions?

[Seaspray0]

@randomwalk. "Wanna guess at how long it takes to reboot a Windows server?" <br /> <br />Ooooh, Oooh! I know that answer! A $#!T load longer than it does to reboot a workstation. LOL. Many people wouldn't think so since servers typically are fast and powerful, but they don't realize that those servers tend to run alot of services you don't normally find on workstations. That, and it takes a minute alone just to get through all the bios initializations. <br /> <br />"They'll update their systems around midnight so it won't disrupt anyone." You got that right unless it interferes with backups.

[mbenedict]

The irony here is Apple also just released critical patches for Safari... <br /><br />...which also requires a 'disruptive' reboot.<br /><br />http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html

[abra697469]

For an OS that came out in 2001... You would think that you wouldn't have so many holes and vulnerabilities! Ah well, job security I guess! Ha, Ha get it!!!

[Seaspray0]

Windows 2000? <br /> <br />As for holes and vulnerabilities, things have changed. Linux and OSX have had more vulnerabilities than windows for the last 3 years. Get with the times, ripvanwinkle.

[Sausagebiscuit]

I, for one, welcome our new ActiveX overlords.

[gertruded]

I am shocked that the 9 patches are actually 19 more vulnerabilities. We were told by the Windows experts on the site that vista and 7 were very secure. Their words were very convincing, so maybe there will not be additional ones to worry about.<br /><br />I am getting a little concerned about Windows security.

[superswiss]

Well, I'm running Windows 7 Professional with the Office 2007 and every other piece of software is the latest version. I just checked Windows Update and the only "patch" that applied to my system was an update to the Outlook Junk Email Filter, which is just a bunch of updated rules and no patch.

[zepol22]

I am just curious. How many of you who constantly attack Microsoft, especially their operating systems, know anything about designing/writing software. I have a feeling not many. And this goes for attacking any company about their software. If you really think that you could create something better than windows, than do it. The majority of the idiots who flock to these type of articles probably know nothing about software architecture. Every company releases security patches even the GREAT APPLE. Any one care to guess how many lines of code windows contains? Lets just say a lot. This makes it is very easy to overlook vulnerabilities. So until one of you come out and create the best OS ever, that never needs an update, keep your mouths shut.

[The_happy_switcher]

I don't know how to build a car so should I stop driving one? I don't how to build a train, either, so should I stop riding BART? That's why I pay someone else. The difference with Windows is that you pay for it and it still doesn't work the way it's supposed to even after 1000's of patches.

[zepol22]

@ happy<br /><br />That is not what I am saying at all. And you know that. So first of all don't twist my words. Second of all you can not compare building a car and a train to building software. So your argument already fails. Patching is part of the software development cycle just so you know. Patches do not mean the software is horrible, they are actually good, showing you that the company is striving to give you the perfect product even though that is impossible. So what my original post said was that if you want to cry and moan every time a patch for windows comes out, then why don't you build an OS that never needs a patch. Anyone in the software industry will tell you that is impossible. So please stop crying about a patch that is being released to protect you.

[monkeyfun14]

@The_happy_switcher<br /><br />No you shouldn't be barred from driving one but you should stop from criticizing which you have no clue about.

[kojacked]

No THS, don't stop riding BART! Just step in front of the tracks!

[Seaspray0]

"...even after 1000's of patches." Either post truthfully, or you WILL hear no end from me on what a liar you are.

[gertruded]

I just did the updates for my Vista laptop. I checked the laptop update log and I counted 215 security updates since 3/8/08. I guess the 19 for this month is not that unusual. I wish I had not counted the total number of updates as it is really shocking to me.

[FF2009]

"I checked the laptop update log and I counted 215 security updates since 3/8/08."<br /><br /><br />a new record? why am I not surprised. lol

[rmva]

FF2009, <br /> <br />Did you exclude monthly Malicious Software Removal Tools and Outlook Spam Filter Updates, or is subtraction not part of your skill set?

[Hokulea]

Okay sure, that makes sense. First complain about security vulnerabilities then complain about the patches that fix them.

[SergeM256]

Tthis patch/update business is getting more and more annoying. I don't want any patches or updates, i want them to make it right the first time and not to fix it on a daily basis.

[zepol22]

Then why don't you make a product that never needs an update or patch. O wait you can't can you. Fail. <br />Next please.

[shycelticwitch]

You can have that with OS X. I update about once every 60 days, whether I need to or not. And Apple fixes most issues before they become issues, so no interruptions there either.

[zepol22]

I cannot wait til one hacker goes to work on OS X one day. And I'll get to watch all the little mac boys run around crying looking for mother Jobs to comfort them and tell them its going to be ok. As for OS X it has plenty of patches and updates, not as much as windows. They are not critical security patches because no hacker is going to waste their time designing malicious code for 2% of the market share.

[rmva]

The product you are looking for is called a toaster. It does one thing and does it extremely well.

[BogusBasin]

@zepol22<br /><br />So along the same thought process as you have been using, "if you want to cry and moan every time a patch for windows comes out, then why don't you build an OS that never needs a patch." And "How many of you who constantly attack Microsoft, especially their operating systems, know anything about designing/writing software?"<br /><br />Why don't you stop crying and moaning about the lack of credible viruses on the Mac and build one? You know so much about programming, it should be easy for you to exploit such an insecure OS. Talk is cheap. <br /><br />The real world fact is there are millions of Macs out there with no virus protection whatsoever. There are millions of people just like me that have been running out Macs this way for decades. No viruses. Ever. Not one. <br /><br />Amen

[zepol22]

@ Bogus <br /><br />I thought I made this clear in another post. If I could create a virus for a mac, why would I waste my time doing so when I would only be able to infect a maximum of 2% of the market share. Now granted, people like you who think they are special because they bought a mac, make it more than satisfying to write a virus even if I can only get 2% of market share. REAL hackers use the same thought process, macs = waste of time to code for. I do not write viruses and I do not claim I can write a better OS than windows, I am only a software engineer student. I understand why patches come out and that is why I do not complain. I am getting tired of reading you stupid troll posts on every article about apple and Microsoft. If you use a mac then why are you commenting on an article about Microsoft.

[The_happy_switcher]

@zepol: Here's a Chinese proverb made for you: "big winds come from small caves."

[zepol22]

And here is one for you to ponder my friend.<br /><br />A diamond with a flaw is worth more than a pebble without imperfections.

[lazycat202]

@bogus:<br />hackers don't waste their time to see your naked images. LOL<br />their main goals are servers that run the business world. Once they control the servers, they control everything. Gosh!! Let me tell you this: you're hooking up to a Microsoft/Linux Server right now. Don't you know that? now you go back and play with your expensive iMac and I'll play with my $500 HP laptop. Peace! I picked mine and you picked yours. I don't care what you're using. Period!<br />oh! when did they invent the OXS and Microsoft software? how many Apple and Microsoft employees are out there? worldwide

[monkeyfun14]

@BogusBasin<br /><br />And there are billions of pc's<br /><br />What would I make more money from? Millions of Macs or Billions of PC's?

[BogusBasin]

@zepol22 <br /> <br />Blah blah blah. Same old talk. Year after year. "Some day, you guys are gonna be sorry", "you are not immune!", "low market share", on and on and on. But still no virus protection. Still no virus. Want my IP address? 164.156.37.32 <br />Hum dee dum dee dum. Nope. Nothing. Here comes a suspicious email. Should I open it? Yep. Nothing. Boo pee dooo pee doo. Still nothing. No virus program pop ups. No updates. No fees. No Free AVG. Don't want it. Don't need it. 15 years and counting. <br /> <br />You have no credibility. Enjoy Windows. Backup. Often. <br /> <br />Amen

[zepol22]

Bogus you are a character! haha! I have been using windows since 1996, never had a problem. I have no anti virus installed on this vista machine right now. Do I open rogue emails or go to random sites filled with malicious goodies. No. Sure do I have to be careful, yea I check urls before I click. I am not jealous that you can open junk emails, why would I want to. I am glad you enjoy your mac so much! My girl friend just bought a mac and I had a dandy old time helping her set up the computer. Would I ever buy mac, sure if the price comes down. They are excellent computers, I am not trying to say they are not. Like its been said before, it comes down to personal choice. <br /><br />I will enjoy windows and I know you will always enjoy you mac. <br />Good day.

[monkeyfun14]

@BogusBasin<br /><br /><br />I think its safe to say you are a paid Apple poster. From this point on I will disregard any comments you make.

[BogusBasin]

@zepol22<br /><br />I had fun debating with you today. Despite perhaps being on opposite sides of the fence, I found your arguments hold much more merit than others I debate with. Good day to you as well.<br /><br />@Monkey<br />I am so sad. You make we want to run right out and buy a really cheap Windows box. So I can drag it around from the bumper of my Truck.<br /><br />Amen

[mbenedict]

Bogus IP address... assigned to a Pennsylvania state government network... all running... PCs.<br /><br />Go figure. ;-)

[Seaspray0]

Combine that with one of his recents posts where he says, "we here at apple..." Bogus looks more and more like a big fat liar.

[troyoverton]

@mbenedict:<br /><br />and I would supposed that the Penn network is actually running their servers vitrualized on Linux based hypervisors...

[pithenumber]

@Bogus<br />if you post an ip that isn't yours<br />how will i pwn your computer?

[no-bs-just-the-facts]

CERT sent an advisory years ago advising nobody use IE...ever...until the core issues of Active X being a security cesspool be addressed. It hasn't, the alert still stands. http://www.kb.cert.org/vuls/id/713878<br /><br />Quote: "There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.<br /><br />It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML)."

[BogusBasin]

Please do not post factual and documented information with links. It really excites the local MS Zealots. They aren't dangerous, but they can be really really annoying in an entertaining sort of way.<br /><br />Amen

[mbenedict]

Bull s**t. <br /><br />This particular ActiveX issue HAS been addressed, in fact Microsoft provided a patch WAY BACK in 2004.<br /><br />http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx<br /><br />It even says so in that CERT link provided... you know, under the section heading that says "SOLUTION". ;-)<br /><br />@Bogus: you meantioned something about "factual and documented information with links"? Ignorant Apple fanboys always crack me up.

[Seaspray0]

@mbenedict. Actually, activex is probably THE biggest problem microsoft has ever had. The vast majority of security issues are related to it. Only about 10% of websites use it now. I advise everyone I know to just turn it off, or set it to notify before allowing it. The issue you are refering to, may have been patched way back when, but there have been ample more to replace it. <br /> <br />@bogus. If you would actually debate instead of troll, you might find more people willing to speak to you nicely.

[weegg]

ActiveX must go and MS should have the strength to issue a statement that it will no longer be supported.<br /><br />But, we know they will not.

[happygolucky101lol]

STOP COMING UP WITH RIDICULOUS UPDATES AND LET ME USE MY "NEW" LAPTOP FOR EXTENDED PERIODS WITHOUT LOSING THE AUDIO! You've killed enough PC companys like HP and Dell, let America get Mac/Linux so we don't have to waste money on your WORTHLESS products! I have been a Microsoft user since my first computer, and this will most definitely be the absolute last Microsoft Product I will EVER USE IN MY LIFE. Sorry for this following strong language, but MICROSOFT, YOU **** ME OFF. Last straw. And "I can't wait for Windows 7". Ya, right.

[jwant_fp]

...

[ZetaZeta_]

My thoughts exactly.

[Sherry719]

Happy Tuesday! I had to install 11 patches. I guess my computer was worse off.