Patch Management

Microsoft slates six fixes for year’s final Patch Tuesday

December 3, 2009

Microsoft on Tuesday expects to push out six patches to address 12 vulnerabilities as part of its monthly security update, the company announced.

The fixes — three are rated "critical," the rest are labeled "important — will address bugs in Windows, Internet Explorer (IE) and Microsoft Office, according to an advance notification released Thursday.

The update plans to address at least one known zero-day vulnerability, an issue impacting IE versions 6 and 7. Microsoft confirmed the flaw, rated critical on all Windows platforms except Server 2008, in an advisory it released late last month.

"We know that customers are concerned about this issue, and we are also aware that proof-of-concept code is available publicly," Jerry Bryant, a senior security program manager at Microsoft, wrote Monday in a blog post.

Experts at Rapid7, a vulnerability management firm, said organizations should make this patch a priority.

The other critical bulletins set to be released impact Windows and Microsoft Project, a project management software program for Office.

Apparently not slated for repair is a zero-day vulnerability in the Server Message Block (SMB) protocol, according to an advisory released last month. The company said successful exploitation of the flaw, which affects Windows 7 and Server 2008 Release 2, can lead to a denial-of-service that results in a system crash — but not the injection of malicious code. Exploit code has been published, but Microsoft is not aware of any active attacks underway.

prestitial ad