Microsoft issues mammoth security update

Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked “critical,” in the biggest update since it switched to a regular monthly update schedule more than five years ago.

Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged “important,” the next step down, and two were pegged “moderate.” The patches were issued in eight updates for Windows, Internet Explorer (IE), Office, SharePoint, Windows Media, and the company’s most popular development tools, Visual Basic and Visual Studio.

Researchers agreed that one of the Windows updates should be tops on everyone’s to-do list. “There are a few that will stick out for a lot of people,” said Andrew Storms, director of security operations at nCircle Network Security Inc. “The GDI is one.”

MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.

“This looks very similar to MS08-021,” said Storms, referring to an April update that patched two more GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious WMF (Windows Metafile) images. “[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too,” said Amol Sarwate, manager of Qualys Inc.’s vulnerability lab. “It’s in the core kernel, it’s always there, it’s in all versions of Windows and the attack vector is pretty high.” Like Storms, Sarwate put the update at the top of his list. The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft’s vaunted SDL (Security Development Lifecycle) process, under which it scrutinizes code as its written for bugs, really works. “Is SDL functioning? I don’t know,” Storms admitted. “Without seeing the code analysis, it’s difficult to presume it’s not.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

CDN Staff
CDN Staffhttps://channeldailynews.com
For over 25 years, CDN has been the voice of the IT channel community in Canada. Today through our digital magazine, e-mail newsletter, video reports, events and social media platforms, we provide channel partners with the information they need to grow their business.

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.