July 3rd, 2008
On deck from MS: Four 'important' patches but nothing for IE
Next Tuesday, Microsoft plans to ship four security updates for multiple flaws affecting Windows, Microsoft SQL Server and Microsoft Exchange Server but the absence of fixes for publicly known Internet Explorer issues is causing raised eyebrows among security professionals.
According to the company’s advance notice for July’s Patch Tuesday, all four bulletins will be rated “important,” meaning that these flaws could be exploited to result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
All supported versions of Windows are affected by these bulletins, including the newest Windows Vista and Windows Server 2008 operating systems.
[ SEE: Exploit code released for unpatched IE 7 vulnerability ]
However, if you’re an Internet Explorer user, you can’t be happy that Microsoft is leaving you on hold for another month without a cumulative IE update.
There are several known — and publicly discussed — code execution flaws haunting the world’s most widely used browser. These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat.
There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!
* Image source: Jeff Wilcox’s Flickr photostream (Creative Commons 2.0).
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
