Microsoft’s July Patch Tuesday to fix zero-day vulnerabilities

Two are aimed at addressing flaws in the Windows operating system and two for the Microsoft Office suite of productivity software.

Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities.

The first is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Google security researcher Tavis Ormandy in June.

Ormandy published his advisory, including exploit code, just five days after reporting the vulnerability to Microsoft.

Ormandy claimed that releasing the information rapidly was in the best interest of security, but Microsoft said it continued to encourage responsible disclosure.

Wolfgang Kandek, chief technology officer at security firm Qualys, said Microsoft has shown an impressive turnaround time on that patch.

The second Windows bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly in May.

Alan Bentley, senior vice-president international for security firm Lumension, said this will have a huge impact as it affects Microsoft's most current and widely deployed desktop and server products.

"IT departments with Windows 7 and/or Windows 2008 R2 should be prepared to prioritise this bulletin", he said.

The two remaining bulletins; one ranked critical and one important, are for Microsoft Office.

Apart from the recently-released Office 2010, all versions of Office are affected, including Office XP, Office 2003 and Office 2007.

The impact of the critical bulletin will be limited to businesses that have built applications and processes using Microsoft Access, said Bentley.

"But we want to strongly encourage users to pay attention to the bulletin rated "important" as it addresses a vulnerability in Microsoft Outlook, and vulnerabilities in e-mail clients are always a concern", he said.

July also marks the end of support for Windows XP SP2 and Windows 2000.

Windows XP SP2 users are advised to upgrade to SP3, which will be supported through to 2014, said Kandek.

"Windows 2000 users need to upgrade to a different version of the operating system altogether, as the entire Windows 2000 line is discontinued", he said.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?