July 8th, 2010, 21:17 PM
Microsoft to patch Google engineer's zero-day next week
Microsoft today said it will deliver four security updates next week to patch five vulnerabilities in Windows and Office, including the bug that a Google researcher took public a month ago.
As expected, the slate for next Tuesday is relatively short: Microsoft has been shipping alternating large and small batches of fixes, with the larger updates landing in even-numbered months. In June, for example, the company issued 10 bulletins that patched a record-tying 34 vulnerabilities. May's collection, meanwhile, amounted to just two bulletins that fixed two flaws.
"This month is light, and would have been even lighter if Tavis hadn't forced them to move faster than their norm [to patch his vulnerability]," said Wolfgang Kandek, the chief technology officer of Qualys.
Kandek was referring to Tavis Ormandy, the Google security engineer who published attack code in early June for a bug in Windows XP's Help and Support Center, a feature that lets users access and download Microsoft help files from the Web, and can be used by support technicians to launch remote support tools on a local PC. The bug, Microsoft said today, also affects Windows Server 2003.
Full story: Computerworld