A light month for MS Security Patches?
So the advanced notification is out... It's looking like a light one this month.
There are only three security related updates in total. 2 of them are Windows-related but the highest rating is Important.... which in Microsoft-ese means:
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
So, worst case scenerio? A DoS...
There's also an Office update, severity rating Critical... which in Microsoft-ese means:
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
This is where I always get confused.... I'd love to see Microsoft define "user action". Last time I checked my office didn't open any listening ports. So now I have to at a very minimum download a file or check my email. That sounds like user action to me... but accepting that those are daily, accepted actions so common that they don't qualify as "user action", that still leaves othe questions. Most office exploits, except for those associated with outlook, require that you actually open and view the document. Wouldn't this also be user action? I move my mouse, I double click on a file... I acted did I not? Which would mean that, if checking your mail doesn't count as user action, the only possible Office product that could be vulnerable to a Critical level vulnerability would be Outlook. Now that would mean that this Patch Tuesday Microsoft is going to completely ignore the new Word 2000 0-Day. This doesn't seem overly likely... So I'm guessing that opening a file doesn't count as user action either.
So I'm ending today's post with a question. What is "user action" as defined by Microsoft?
Peace,
HT