23 Microsoft patches this month

SHARE this post!

Thanks to Information Week for this info on some really nasty Windows holes that need to be patched now.

Microsoft on Tuesday published 12 security bulletins for Windows and Office that patched 23 vulnerabilities, 16 of which the Redmond, Wash. developer tagged as “critical.” Both the number of bugs disclosed and the tally of critical fixes broke previous records.

Ten of the updates addressed flaws in Windows, while 2 affected Microsoft Office or one of its bundled applications. According to security analysts, several of the bulletins patch vulnerabilities that are already being exploited in the wild, including one used to attack the PowerPoint presentation maker just days after July’s security updates were revealed.

Security analysts immediately pegged MS06-040 bulletin as the fix to apply first.

In an alert to customers of its DeepSight threat system, Cupertino, Calif.-based Symantec noted that MS06-040, which fixes a flaw in Windows’ Server service, should be patched pronto. “At least one exploit for the issue has already been developed, and as such may be released soon,” Symantec stated. “The issues can be exploited by an anonymous user against Windows XP SP2 to execute arbitrary code, making it a prime candidate for a worm.”

Mike Murray, director of research at vulnerability management vendor nCircle, was even more adamant about MS06-040’s potential. “We’ve seen these kinds of service vulnerabilities before, and for one reason or another, [worms] haven’t turned up,” said Murray. “But all is lined up for this to be a big one.”

The bug, which affects all currently supported versions of Windows, including fully-patched Windows XP SP2 and Windows Server 2003 SP1, is similar, but not identical to the 2003 RPC vulnerability that led to the MSBlast worm.

“We won’t know for about 24 hours exactly how dangerous this is, but it could end up presenting a major problem,” Murray said. “It looks like Windows’ authentication isn’t needed, so an anonymous user could launch from outside the network.”

Symantec also reminded users that a similar bug was responsible for one of the biggest worm attacks ever. “The vulnerable service is the same used by the Blaster worm in past years,” the alert read. Nine of the dozen bulletins were labeled as critical, Microsoft’s most dire rating. Among them were several that plugged various holes in Web-rated components of Windows. Internet Explorer, Microsoft’s browser, accounted for more than a third of the total bugs (8 out of 23), and 5 of the critical 16 in MS06-042. Even the most secure version of the browser, IE 6 for Windows XP SP2, was hit with 3 critical fixes.

“Just like always, we’re seeing all this Web stuff,” said Murray. “We’re back to the monthly IE vulnerabilities fix.”

According to Symantec, 3 of the 8 bugs in IE had been disclosed before Tuesday, 4 let attackers introduce their own code to a compromised system, and 3 can be exploited to gain access through lower IE security settings.

Chris Andrew, vice president of security technologies at PatchLink, took a different tack than his rival Murray and touted the browser bugs as those to fix first. “The importance of the browser should mean getting it patched ASAP,” said Andrew.

But he also pointed out that other fixes marked “critical” shouldn’t be ignored. “None of them are really ‘wait til later,”” he said.

While Windows got the most attention, Microsoft Office was the subject of two bulletins and three vulnerability fixes. PowerPoint was patched by MS06-048, while a critical bug in Visual Basic was plugged by MS06-047. The latter, said Microsoft, could be exploited by crafting a malicious document that supports Visual Basic scripting. Word, Excel, and PowerPoint users are at risk. On the plus side, said Symantec, up-to-date versions of Office 2003 (SP1 and SP2) are immune. As with some Office fixes released in June and July, the PowerPoint bulletin also affects Mac users of Office X and Office 2004. Mac patches can be downloaded from Microsoft’s Mac-specific site.

August’s count of 12 bulletins and 23 patches brought the three-month vulnerability count to a whopping 63, and the bulletin tally to 31, totals that easily broke previous records.

“It’s been quite a summer,” said Murray, who saw the numbers as a good thing.

“More important than anything else, I think this shows that Microsoft is being more transparent,” Murray argued. “In the past, Microsoft would release a couple of bulletins but then patch a bunch of other stuff on the back end without telling us.

“Now they’re a lot more transparent. They’re showing us everything there is to show.”

PatchLink’s Andrew saw a different rationale for the glut. “The rate of [vulnerability] discovery is outstripping the rate of patching,” Andrew said as he noted that security researchers — both black hat and white hat — are increasingly turning to automated tools to help them dig up bugs.

“That results in a backlog of vulnerabilities that need to be fixed,” Andrew said.

Users can obtain the month’s patches via Windows’ Automatic Update, from the Microsoft Update service, or through other software and services the company offers, including Windows Server Update Services (WSUS) and Software Update Services (SUS).

16 thoughts on “23 Microsoft patches this month

  1. Have you ever considered publishing an ebook or guest authoring on other sites?
    I have a blog based on the same topics you discuss and would love to have you share some stories/information. I know my visitors would enjoy your work.
    If you’re even remotely interested, feel free to shoot me an e mail.

  2. Woah! I’m really enjoying the template/theme of this website.

    It’s simple, yet effective. A lot of times it’s difficult to get that “perfect balance” between user friendliness and visual
    appearance. I must say you have done a great job with this.

    Additionally, the blog loads very quick for me on Safari.
    Excellent Blog!

  3. Aw, this was a very nice post. Finding the
    time and actual effort to create a superb article… but what can I say… I procrastinate a whole lot and don’t seem to get nearly anything done.

  4. Hi there, I discovered your blog via Google while searching for a similar matter, your website
    got here up, it appears good. I’ve bookmarked it in my google bookmarks.

    Hello there, just was alert to your blog thru Google, and found that it’s truly informative.
    I’m gonna be careful for brussels. I’ll be grateful if you continue this in future.
    A lot of folks will likely be benefited from
    your writing. Cheers!

  5. Howdy! Would you mind if I share your blog with my twitter group?
    There’s a lot of folks that I think would really enjoy your content.
    Please let me know. Thanks

  6. Very nice post. I just stumbled upon your weblog and wished
    to say that I have really enjoyed browsing your blog posts.
    In any case I’ll be subscribing to your rss feed
    and I hope you write again soon!

  7. Hello, i believe that i noticed you visited my web site
    thus i got here to go back the desire?.I am attempting
    to to find issues to improve my website!I guess its good enough to use a few of your ideas!!

  8. With havin so much content do you ever run into any issues of plagorism or copyright violation?
    My blog has a lot of exclusive content I’ve either written myself or outsourced but
    it looks like a lot of it is popping it up all over the web without my authorization. Do you know any solutions to help stop content from being stolen? I’d truly appreciate it.

  9. Excellent post. I was checking continuously this weblog and I am inspired!
    Extremely useful info specifically the closing section :
    ) I handle such information a lot. I used to be seeking this particular information for a long time.
    Thank you and good luck. adreamoftrains web host

  10. Hello, i think that i saw you visited my
    web site so i came to “return the favor”.I am attempting to find things to enhance my web site!I suppose
    its ok to use some of your ideas!!

Leave a Reply

Your email address will not be published.