B2B Marketers » Reach Pre-Qualified IT Decision Makers with a Custom Lead Gen Program » Get Details
Welcome Guest | Sign In
TechNewsWorld.com
NICE inContact February 12 webinar

Patch Tuesday Bulletins Include Nine Critical Fixes

By Jennifer LeClaire
Aug 9, 2006 11:29 AM PT

In a record-breaking Patch Tuesday release, Microsoft issued 12 security bulletins to patch 23 vulnerabilities in Windows and Office, including nine critical flaws.

Patch Tuesday Bulletins Include Nine Critical Fixes

Ten of the updates address flaws in the software giant's operating system. Several patches fix vulnerabilities that are currently being exploited by hackers, including one used to target PowerPoint presentation software.

Top Priority Patch

MS06-040 should be at the top of IT administrators' lists this week. This update fixes issues that can be exploited by an anonymous user against Windows XP SP2 to execute arbitrary code, making it a prime candidate for worm intrusion, according to Symantec.

Jonathan Bitle, manager of technical accounts for on-demand vulnerability management firm Qualys, agreed with that assessment.

"MS06-040 addresses the same type of issue that attackers have taken advantage of with other past worms. It's a buffer overflow issue, and we agree that this is the most critical issue to address right away," he noted.

"Fortunately, many larger organizations have already put controls in place to address access to this service," he continued.

Browser Bugs Galore

Several patches in Microsoft's batch of critical fixes address vulnerabilities in Web-related components of Windows. Five of the nine critical vulnerabilities in this week's release are found in the Internet Explorer browser. Three other IE flaws are considered less serious.

Three of the eight holes in IE had been disclosed prior to Tuesday's release, reported Symantec. Four others create a way for attackers to install malicious code on target computers. Three of the eight can be exploited to gain access to a computer through lower IE security settings.

"Last month, a different browser vulnerability was released every day," remarked Qualys' Bitle. "Even with eight browser vulnerabilities addressed this month, we anticipate a number of browser-related vulnerabilities [will be] addressed within the next couple of months. There is no way they could have all been addressed in this release."

Plugging Holes

Bulletins released to plug holes in Microsoft Office included MS06-048, which addresses a PowerPoint vulnerability. MS06-047 fixes a critical bug in Visual Basic. Microsoft said the Visual Basic flaw could be exploited by crafting a malicious document that supports the application's scripting, putting Word, Excel and PowerPoint users at risk.

The summer months saw 63 vulnerabilities in Microsoft software, breaking previous three-month records. Bitle sees this as a trend toward increasing the size of the fixes released each month. Another trend, he said, is the rise of client-side exploits, also known as "user interaction attacks."

"This trend highlights the need to take seriously the requirement across an organization for user training," Bitle said. "Typically, the weakest link in the security chain is end-users. Organizations need to educate employees on what is acceptable use and what they should be doing on [their] work PC."


Amazon Advertising: Strategies to Drive Success
How concerned are you about online disinformation during the U.S. presidential election cycle?
Very concerned -- Internet companies haven't done enough to address the issue.
Very concerned -- there's really no effective way to counter it.
Somewhat concerned -- companies have stepped up to lessen the impact.
Somewhat concerned -- voters are less naive this time around.
Not at all concerned -- the threat is overblown.
Not at all concerned -- voters have learned to fact-check for themselves.
NICE inContact February 12 webinar