14 DAY TRIAL // Microsoft has readied a security bulletin designed to address a Critical vulnerability in Internet Explorer, including the latest iteration of the browser running in Windows 7. The IE patch will, in fact, be the only one that will impact the successor of Windows Vista, as Windows 7 RTM is not affected by any of the security issues patched with the wave of security updates planned for release on December 8, 2009. The information was made available through the Advance Notification for the December 2009 Security Bulletin Release, a resource designed to allow customers to get ready for this month’s patches.
“For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5,” revealed Jerry Bryant, Microsoft security program manager.
Bryant notes that the Redmond company considers a top priority the patching of a recently disclosed Internet Explorer vulnerability. Proof of Concept for the IE security flaw has already been released in the wild, meaning that customers are exposed to eventual exploits of the vulnerability, although the software giant continues to indicate that no attacks were detected. According to the company, the 0-day only affects IE6 and IE7, but not Internet Explorer 8. In this context, it is clear that the Windows 7 IE8 flaw, labeled with a maximum severity rating of Critical, is a different security vulnerability than the zero-day.
“The IE update (…) will be at the top of our deployment priority list. The other critical update affecting Windows will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project, is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID’s after release so we will be doing that in the blog post here on Tuesday,” Bryant said.