Microsoft, Apple Address Security Issues

Microsoft on Thursday said it plans to release 11 security bulletins next week. Separately, Apple released its Security Update 2008-007, addressing 40 vulnerabilities and other stability issues.

Microsoft intends to release its monthly security update on Oct. 14.

Four of its bulletins -- affecting Active Directory, Excel Host Integration Server, and Internet Explorer -- are rated "critical."

The Excel vulnerability affects various versions of Microsoft Office, including Microsoft Office for Mac 2004 and 2008.

Six of the Microsoft bulletins are rated "important" and one is rated "moderate." The "important" vulnerabilities have to do with privilege elevation and remote code execution. The "moderate" vulnerability has to do with information disclosure.

The Microsoft bulletins do not appear to address a Windows privilege elevation issue that Microsoft warned about in April and again earlier this week, with the publication of exploit code.

Apple's security update fixes flaws in Apache, Certificates, ClamAV, ColorSync, CUPS, Finder, launchd, libxslt, MySQL Server, Networking, PHP, Postfix, PSNormalizer, QuickLook, rlogin, Script Editor, Single Sign-On, Tomcat, vim, and Weblog.

It is available for Mac OS X 10.4.11 and Mac OS X 10.5.5, either through Apple's Software Update control panel or via download from Apple's site.

Apple's Security Update 2008-007 does not appear to address a reported vulnerability in Apple's iTunes software.

Last month, someone using the name "Securfrog" published proof-of-concept exploit code that supposedly can be used to crash any Web browser with the QuickTime plug-in. The code was tested using iTunes 8.0 and QuickTime 7.5.5.

According to Securfrog, Apple plans to fix this vulnerability in its next release of QuickTime.