Windows Server Update Service will include an automatic upgrade to Internet Explorer 7.

Microsoft warns of IE7 automatic update
IT managers given guidelines to stick with IE6
Microsoft is reminding IT managers that the scheduled 12 February rollout of Windows Server Update Service will include an automatic upgrade to Internet Explorer 7.

Companies wishing to remain with IE6 have been offered guidelines explaining how to prevent the automated update taking effect.

If the update service is configured automatically to approve Update Rollups, IE7 will be downloaded and installed to workers' PCs when the release becomes available.

IT administrators will need to disable the auto-approval rule before the deadline to prevent the download.

Microsoft claimed that the move was prompted by security concerns.

Many companies will choose to remain with IE6 as some web-based applications experience issues running with IE7.

more...

Microsoft fixes 11 flaws in latest update
Microsoft has plugged 11 security vulnerabilities as part of release.

Five of the vulnerabilities carry a severity rating of 'critical', five are labelled 'important' and one is labelled 'moderate'.

The 'critical' vulnerabilities affect Excel 2000, Windows Server 2000 and versions 1.0, 1.1 and 2.0 of the .Net framework. An attacker could use each vulnerability to remotely execute malicious code on a target system.

A remote code execution vulnerability was also found in Office Publisher 2007. An attacker could use a specially crafted '.pub' file to take control of the target system with the privileges of the current user.

The vulnerability is classified as 'important' rather than 'critical' because the attacker would have to convince the user to manually launch the malicious file.

None of the 'critical' vulnerabilities affects Windows Vista, but the 'moderate' vulnerability lies within the firewall security software in the 32-bit and 64-bit versions of Vista.

If exploited, an attacker could access the network interface and view sensitive user information.

Oliver Friedrichs, director of emerging technologies at Symantec Security Response, warned that, while the firewall vulnerability is not severe, it is still significant.

The flaw indicates that Vista's new networking components, or network stack, are not bullet-proof.

"A network stack can take decades of heavy scrutiny in order to become battle hardened," Friedrichs said in an emailed statement.

"As an operating system's first line of defence, its quality is directly related to its ability to withstand attack."

Users can download the monthly update through Windows Update or from Microsoft's TechNet website.

Microsoft bundles its patches in security bulletins, each covering one application or software component. July's security update contained six bulletins.