Microsoft has announced that it will be offering four security updates next week to fix five gaping holes in its Windows and Office software which have left thousands of users at the mercy of hackers.
The biggest fix on the agenda is a patch for the Windows XP Help and Support Centre bug, which Tavis Ormandy, a Google engineer, exposed in early June, invoking the wrath of the Vole which said it had not been given enough time to address the problem. Windows XP launched nine years ago. Ormandy leaked the details of the vulnerability after Microsoft refused to give him a concrete timeline on when a patch would be made available.
Since then over 10,000 Windows XP users have had their PCs hacked using the CVE-2010-1885 exploit, forcing Microsoft to issue a security advisory in early July.
Microsoft’s hostile response to Ormandy, who also exposed a 17-year old Windows kernel vulnerability in January, led to a flurry of other security researchers exposing holes in the Vole’s systems.
Last week an anonymous group of people called the Microsoft-Spurned Research Collective released information about a Windows Vista and Server 2008 vulnerability.
Also last week Vupen Security leaked information about two Office 2010 bugs, only weeks after the release of the product. Vupen has identified dozens of Microsoft vulnerabilities throughout 2010 and expects to find plenty more in the latest version of Office.
Now Microsoft is set to address some of these issues in a critical update on Tuesday, July 13. There will be three critical updates and one important one, two affecting Windows and two affecting Office.
The Google-exposed Windows XP vulnerability will be top of the list in efforts to eliminate the serious hacking problem that has been ongoing for the last month. Another big fix is a bug affecting 64-bit versions of Windows 7 and Server 2008 R2, which Microsoft recognised in May. The Office updates will affect Access and Outlook, which means the Vole-holes Vupen has exposed will remain unplugged for now.