Microsoft plans to announce seven fixes for its upcoming June 10 issue of Security Bulletin. Three out of Seven are critical patches.

The three critical updates fix holes in Windows, and one in Internet Explorer, which all allow remote code execution using Bluetooth, IE and DirectX. The three important updates all relate to Windows and remote code execution as does the single moderate update. The company is also releasing an updated version of its Malicious Software Removal Tool.

The patch will fix IE6 and IE7 running in all supported editions of Windows, including Windows 2000, XP, Server 2003, Vista and Server 2008. Microsoft has pegged the IE fixes in the client operating systems as critical, but only as moderate on the server side.

In addition to the three critical flaws, Microsoft is releasing three bulletins rated “important” affecting numerous versions of Windows in PGM, Active Directory and WINS. If exploited, the flaws in both PGM and Active Directory could lead to a denial of service attack.

The seven-update list is “one of the most diverse and interesting in a long time. It runs the gamut as far as the distribution of where they are in the operating system and software. The only thing we’re missing is [a vulnerability for] Excel or Outlook, and we’d have one for everything that Microsoft makes,” said Andrew Storms, director of security operations at nCircle Network Security Inc.

Source: Channel Web

According to Nick MacKechnie, a senior technical account manager at Microsoft New Zealand, we can expect the next beta of Internet Explorer 8 to arrive in the third quarter of this year. And unlike the current test version, which is marked as a “developer preview,” this version will be a public beta targeted at all consumers. IE8, the follow-on to 2006’s IE7, was released in Beta 1 nearly three months ago.

Microsoft says it’s a good idea to start updating your IE7-compliant sites now, before the public beta of IE8 is released, so that you can avoid problems when the new browser starts to go mainstream. Even better than adding new IE-specific tags or headers, though, would be to try to re-code those pages so that they observe proper Web standards. That’s going to be the best way to ensure that your pages are viewable across all browsers on the widest variety of platforms, which can save you time and money in the long run.

The first beta of IE8 is not exactly in widespread use. According to the latest data from Web metrics company Net Applications Inc., IE8 Beta 1 accounted for just .02% of all browsers used last month. IE7, by comparison, held the top spot with a market share of 45.9%.

IE8 Beta 1, which runs in Windows XP, Vista, Server 2003 and Server 2008, can be downloaded from Microsoft’s Web site.

Source: PC World

Last December, Microsoft rolled out Service Pack 1 , a total of 320 MB. The update includes fixes for 455 issues throughout the entire Office suite. Microsoft is not going to push users for Automatic Update for at least three months. “We’ll give users a 30-day notice before throttling up [SP1 via] Automatic Update,” promised Shaffner, worldwide product manager for Office. The notice will be posted on Microsoft’s Web site and publicized elsewhere.

Shaffner and Rizzo detailed only a few new features in SP1, including support for the not-yet-released Windows Server 2008 and beefed up compatibility between 2007’s native file format, Office Open XML and the formats used by earlier editions of the suite. Also, Office 2007 SP1 features a slew of security patches and bug fixes (including the mathematical error in Excel), but doesn’t add any new features. Aside from bug fixes, SP1 reportedly offers a number of performance enhancements, particularly for those running Windows Vista, where performance often lagged.

You can get a more complete description of SP1, including a list of issues that were fixed, in the Microsoft Knowledge Base article 936982: Description of the 2007 Microsoft Office suite Service Pack 1.

You might ask, why Service Pack 1? Well, SP1 focuses on the issues that matter to users of Office 2007 which have been collated based on direct customer feedback and error reporting tools.

Source: PC World

Microsoft Windows Vista SP1 contains changes focused on addressing specific reliability and performance issues, supporting new types of hardware, and adding support for several emerging standards. Windows Vista SP1 also addresses some management, deployment, and support challenges. Windows Vista Service Pack 1 will download automatically to PCs that have the automatic update feature of the OS turned on, the company said.

Microsoft has acknowledged problems with application compatibility and lack of driver support, among others, that customers have had with Vista. It says SP1 and other updates that the company continues to make should remedy these problems. What the company hasn’t said is why there were so many problems with the OS when the company had more than five years between the releases of Windows XP and Vista to ensure a smooth transition.

Even after today’s announcement, however, some Vista users may not see SP1 for weeks or even months because their PCs are using defective device drivers that Microsoft says may cause problems during an upgrade. It is blocking systems with those drivers from obtaining SP1 until the drivers themselves have been updated.

Users can obtain SP1 by downloading a much larger standalone installer from Microsoft’s site if the service pack is not visible in Windows Update.

Microsoft patches a critical flaw in the Windows operating system that could be used by criminals to create a self-copying computer worm attack.

The software vendor released its first set of patches for 2008 on Tuesday, fixing a pair of networking flaws in the Windows kernel. Microsoft also released a second update for a less-serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges.

The critical bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft says that an attacker could send specially crafted packets to a victim’s machine, which could then allow the attacker to run unauthorized code on a system.

Because IGMP is enabled in Windows XP and Vista by default, this bug could be used to create a self-copying worm attack, Microsoft said Tuesday. Windows uses the IGMP protocol for many popular consumer applications such as streaming video, multiplayer games and universal plug-and-play.

Courtsey: PC World