Microsoft on Tuesday released six security fixes to address a diversity of bugs in Windows and Office. The security flaws range from important to critical, the company said.
Five of the vulnerabilities carry Microsoft’s most severe rating: critical. All six allow a hacker to execute code from a remote location. Internet Explorer (IE), Microsoft Agent, XML Core Services, the Workstation Service and Adobe’s Flash player are among the software products open to malicious hackers.
“Of the other vulnerabilities patched, the one in the Workstation Service stands out, as it can be used to create a fully automated worm [that] could cripple Internet traffic and compromise Windows 2000 systems on a global scale,” said Monty Ijzerman, senior manager of the Global Threat Group for McAfee Avert Labs.
Active X Bugs
Several of the critical bugs in this month’s patch cycle target rendering and Active X controls, part of an ongoing trend tied to the recent dramatic increase in the volume of spam and the evolution of botnets.
Exploits like MS-068 and MS-071 make it easier for hackers to get the browsing community to visit attack sites containing malformed content. MS-069, a Flash vulnerability, allows hackers to create compelling Flash content containing malicious code that can take complete control of a user’s system.
“This month’s patches validate a continuing trend of exploits that make it easy for attackers to target users who are just browsing the Web, making these patches critical for consumers and enterprises alike — particularly with enterprises moving toward unrestricted Web access for all users,” noted NCircle IT Director Andrew Storms.
An Unaddressed Threat
One threat not addressed in this Patch Tuesday release was the one to Visual Studio 2005 that is currently being exploited to primarily impact developers, said Chris Andrew, vice president of Security Technologies for PatchLink.
“The reality is that most of these vulnerabilities are available for many months and once they’re announced, it’s become a mad dash between vendors and hackers,” Andrew told TechNewsWorld. “Until there is an official patch released by Microsoft, IT administrators should use the recommended workaround to ensure all security loopholes are closed.”
That recommended workaround entails the following:
- Preventing the WMI Scripting from running in IE;
- Configuring IE to prompt running Active Scripting or disable Active Scripting altogether;
- Configuring IE to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local Intranet security zones; and
- Setting Internet and Local Intranet security zone options to “high” so as to prompt before running ActiveX Controls and Active Scripting in these zones.
Reboot Policies
As vulnerabilities become an ever-prevalent fact of life, it is important to patch all five critical updates at once so that only one reboot occurs, Andrew explained, because rebooting every time you push out a critical patch can be a a chore and irritate end users.
PatchLink recommends setting up a policy that offers three chances for the end user to reboot his/her machine, then enforces the patch deployment to ensure the user’s machine gets patched no matter what.
“Hopefully, by implementing these policies and processes, Patch Tuesday will become a less onerous task,” Andrew concluded.