Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Microsoft plans to release just three security patches this month, but overlooks a critical IE flaw prior to the Christmas shopping season

Microsoft plans to release just three security patches this month, but overlooks a critical IE flaw prior to the Christmas shopping season

 

Microsoft may be taking a bit of a breather pre-Christmas, but that doesn’t mean an easy month for IT managers this patch Tuesday, according to security firm Lumension.

 

The software giant late last week released advance notification of its monthly round of security patches, which are released on the second Tuesday of each month.

 

The notice confirmed that it would fix a critical issue in Office 2010, but not a recently uncovered flaw in Internet Explorer (IE).

 

Alan Bentley, international senior vice president at Lumension, commented: “Following the biggest patch Tuesday on record last month, Microsoft is catching its breath, with just three bulletins to be issued for November. Only one is critical, but all three may require a restart.

 

“While it may be a quieter month for patches, there’s still the matter of the Internet Explorer vulnerability that was discovered in the wild being used in ‘drive-by’ hacks that allow an attacker to perform a remote code execution, loading malware onto a visiting user’s network.”

 

Xmas shopping IE risks

 

He continued: “Despite this vulnerability affecting IE versions 6, 7 and 8 there continues to be no mention of it and Microsoft, despite issuing a workaround, is not expected to release an out-of-band patch. This could leave many users waiting for more than a month before they know they are fully protected from this threat, because a workaround typically is not implemented by the majority of users.

 

“In the run up to Christmas, with industry experts predicting online shopping in the UK to increase by 23% from 2009, it seems rather surprising that Microsoft haven’t prioritised a patch.”

 

In other patch news, Bentley pointed to Mozilla’s release of Firefox 3.6.12 and Firefox 3.5.15 to patch a vulnerability that had been exploited by malware secretly planted on the Nobel Peace Prize website, which redirected users to a Taiwanese attack server that launched a JavaScript-based exploit, which if successful, planted a Trojan horse on victimized Windows PCs.

 

Adobe Systems also plans to release a patch by Thursday to address a critical vulnerability in Adobe Flash Player. And, a local privilege escalation vulnerability that could allow attackers to execute malicious code with root rights was patched in the newly released Linux kernel 2.6.36.

 

“So it might be a quieter month on the Microsoft front, but IT managers will still have their hands relatively full with a number of other notable patches from Adobe, Mozilla and Linux to contend with,” Bentley concluded.