On the second Tuesday of each month, Microsoft releases security updates for both Windows and specific programs. It sends it out via the automatic Windows Update service and also make the updates available to manually download.
The October update has 11 fixes, taking care of a total of 20 problems. Each problem is rated for the potential damage it could cause if a hacker took advantage. This month the following programs have problems rated ‘critical’, the most serious rating:
- Office 2000 (specifically Excel)
- Internet Explorer 5 and 6
- Microsoft Host Integration Server
- Windows 2000 Server
Even if you don’t use the automatic update service,
you should still strongly consider manually downloading the relevant update if you use any of these applications. Failing to plug these loopholes could lead to serious problems, even for sensible users who don’t generally take any security risks.
Wherever necessary, Microsoft issue kill bits to deal with security problems in third-party software which could cause problems in Windows. A kill bit is an entry in the Windows Registry which blocks the relevant software from running Active X content (a type of interactive feature which can be vulnerable to hacking in some cases). This month, kill bits have been issued for the following programs:
- Microgaming Download Helper
- System Requirement Labs
- Photostock Plus Uploader
If you use any of these programs, you should have already received a security update from the manufacturer; the kill bit is merely a back-up on Microsoft’s part. However, it’s worth checking the manufacturer’s website for any new details on the problem or potential problems caused by the kill bit being in place.
While every Microsoft security bulletin rates problems for the damage they could cause if exploited, this is the first bulletin which also predicts how likely it is that hackers will exploit each problem. Microsoft hopes this added detail will be particularly useful in helping IT staff decide which problems to give priority to when monitoring and updating the security on a network.
The rating considers the next 30 days, which is when there’s the biggest risk. That’s because hackers can look at the fixes, figure out exactly what the original bug was, and take advantage before everyone has applied the updates.
This month seven fixes have received the highest rating, ‘Consistent exploit code likely’. These include some of the Office 2000, IE 5&6 and Host Integration Server issues, making them the most dangerous issues overall.
One of the Internet Explorer problems wasn’t included in the exploitability rating. That’s because Microsoft already knows hackers are widely aware of the problem. However, it doesn’t know of any cases where hackers have succeeded in exploiting that particular vulnerability.