Microsoft Issues Record Number of Critical Patches
Oct 11, 2006 7:59 AM PT
Microsoft on Tuesday addressed 26 vulnerabilities in its monthly cycle of security patch releases, marking the software giant's largest Patch Tuesday this year.
Microsoft issued 10 security bulletins to patch vulnerabilities in Windows, Office and .Net. Six of the bulletins were rated "critical," a record number since the company implemented its Patch Tuesday process. One update was ranked "important," two judged "moderate" and three rated as "low" risk.
"Among the 26 vulnerabilities being patched, 15 are rated critical by Microsoft, and 16 target applications. This continues the trend toward applications-based malware and application targeted vulnerabilities," said Monty Ijzerman, senior manager of the Global Threat Group for McAfee Avert Labs.
Four Zero-Day ThreatsAs security researchers anticipated, four zero-day threats are addressed in the release, which includes a fix for the much-hyped Microsoft Word vulnerability that had already been exploited by hackers. Microsoft also made patches available for a recently discovered PowerPoint hole and a shell vulnerability within Windows Explorer that can execute malicious code on systems whose users are viewing contents in "Web view."
"The majority of the six critical patches ... address vulnerabilities that require user interaction to exploit, a trend that has been prevalent in the last several release. However, there is one vulnerability that enables remote exploit in the server service, which provides support for file and print sharing, essentially the function that allows users to permit access to their local resources," Amol Sarwate, director of the vulnerability research lab at Qualys, told TechNewsWorld.
Office accounted for 62 percent of the vulnerabilities in this cycle. Eighty-six percent of those were marked critical. Four critical Office patches are perfect fodder for a new round of viruses, according to nCircle IT Director Andrew Storms.
"This is a big impact for major enterprises that haven't yet deployed Service Pack 2. In addition to all of the patches released that need to be tested and deployed this month, enterprises on XP Service Pack 1 will also need to evaluate the level of risk associated with moving to SP2, reprioritize based on this risk level and then reevaluate their patch prioritization. This has huge implications for the enterprise IT teams," Storms noted.
Reviewing RecommendationsMcAfee recommends that security administrators pay special attention to the MS06-057 vulnerability in the Windows shell because it is remotely exploitable by an anonymous user. This vulnerability has a critical rating and has been widely exploited in so-called "drive-by installs" and "drive-by download" attacks through Internet Explorer.
Qualys also advises organizations to pay special attention to MS06-057 and patch systems accordingly, as the server service is a feature that is turned on by default on Windows systems.