Microsoft’s Tuesday Patches Did Not Have Word Zero-Day Fixes

Microsoft issued patches on Tuesday, January 9, 2007 to fix vulnerabilities in its Windows and office software but none for several known zero-day flaws in Word.

The software provider issued three vital updates on Tuesday to repair nine security bugs. A fourth one plugs a hole in Brazilian Portuguese Grammar Checker of Office 2003. Microsoft has rated this flaw as only "important".

Microsoft declared two of the Office flaws and the Windows gap as "critical", the firm's highest rating of any threat. One of these critical flaws resides in Microsoft's latest browser, Internet Explorer 7. But, neither does it make impact on Microsoft's new Office 2007 nor on Windows Vista. The company released these packages to business customers that are expected to make ground in the market January 30, 2007.

Microsoft's monthly security bulletin was prominent by the absence of patches for at least three Word exploits that first emerged in December 2006. The Tuesday's set of patches, however, did not include Microsoft's earlier promises as in its Advance Notification Security Bulletin in January 4, 2007.
S
A spokesperson of Microsoft said the company was still assessing the fixes, considering many factors play during the period between the detection of vulnerability and the release of an appropriate update.

She explained once the Microsoft Security Response Center (MSRC) determines the severity level of the flaw, they work to design an update for every associated version that gets affected.

Microsoft originally thought to develop eight security fixes for Windows, Office and Visual Studio. But finally it reduced them to four fixes, eliminating one for Office and three for Visual Studio. These bulletins were perhaps withdrawn for quality issues. Microsoft has never issued patches that would cause disruption, said Andrew Storms at 'nCircle'.

However, these missing patches have a high impact on business and their public scrutiny together may demand Microsoft to issue an out-of-cycle security patch for those vulnerabilities.

A Symantec Security Response director, Oliver Friedrichs said Tuesday's patch release demonstrates that the number of flaws for the Windows platform is not receding. Attackers are speedily exploiting vulnerabilities making it imperative for users to install updated patches immediately.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 1/17/2007