Posted by Virus Bulletin on Oct 10, 2007
Expected patch omitted from monthly security update.
Microsoft has announced the contents of its monthly 'Patch Tuesday' security update release, with four 'Critical' and two 'Important' fixes pushed out to users of its operating systems and software. A fifth issue, labelled 'Critical' in the advance notification released last week, remains open as the expected patch has been held back to resolve issues discovered during final testing.
The critical patches cover single vulnerabilities in Word, Outlook Express/Windows Mail and Kodak Image Viewer, as well as a four separate problems found in Internet Explorer, one of which had been publicly disclosed as long ago as February. All could allow an attacker to execute code remotely on vulnerable systems. The less crucial fixes are for a possible denial-of-service vulnerability in the RPC system and a privilege escalation issue in Sharepoint.
Little detail has been released regarding the missing patch, except that it was withdrawn following a 'quality control issue'. It seems likely that it will be kept back until next month's Patch Tuesday. Of the vulnerabilities that have been fixed, at least two, the flaws in Word and Sharepoint, have had exploits made public or used in targeted attacks, according to SANS.
The full security bulletin detailing all the patches is here, with a Microsoft Security Response Center blog entry describing the changes to the scheduled release here.
Posted on 10 October 2007 by Virus Bulletin