Monday, June 8, 2009

Patch Tuesday heads-up: Critical Windows, IE fixes coming

Microsoft plans to ship 10 security bulletins next Tuesday (June 9, 2009) with fixes for a wide range of code execution vulnerabilities affecting Windows, Microsoft Office and Internet Explorer. Six of the ten bulletins will be rated “critical,” Microsoft’s highest severity rating.

This month’s batch of patches will not include a fix for the DirectShow vulnerability that’s currently being used in drive-by download attacks against Windows Media Player.

You may have noticed that we are not announcing an update for the DirectShow vulnerability addressed in Security Advisory 971778. Our security teams are working hard on a security update that addresses this issue to protect customers, but we do not yet have an update that has reached the appropriate level of quality for broad distribution. We continue to monitor the situation closely and suggest customers follow the guidance provided in the advisory.

In the absence of that fix, Windows users should immediately consider disabling QuickTime parsing to thwart the ongoing attacks. This KB article provides fix-it button that automatically enables the workaround.

Microsoft also announced that an Office for Mac fix will be coming this month to address vulnerabilities already fixed in May’s MS09-017. Microsoft originally shipped fixes for Windows users but the Mac patches were not ready in time.

The image above captures the essence of this month’s fixes. Windows users should treat the IE and critical Windows patches with the utmost priorities. Businesses considered at high-risk of targeted attacks should immediately test and deploy the Microsoft Office patches.

The Windows patches will be available all versions of the operating system — Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

No comments: