In a record-breaking Patch Tuesday release, Microsoft issued 12 security bulletins to patch 23 vulnerabilities in Windows and Office, including nine critical flaws.
Ten of the updates address flaws in the software giant’s operating system. Several patches fix vulnerabilities that are currently being exploited by hackers, including one used to target PowerPoint presentation software.
Top Priority Patch
MS06-040 should be at the top of IT administrators’ lists this week. This update fixes issues that can be exploited by an anonymous user against Windows XP SP2 to execute arbitrary code, making it a prime candidate for worm intrusion, according to Symantec.
Jonathan Bitle, manager of technical accounts for on-demand vulnerability management firm Qualys, agreed with that assessment.
“MS06-040 addresses the same type of issue that attackers have taken advantage of with other past worms. It’s a buffer overflow issue, and we agree that this is the most critical issue to address right away,” he noted.
“Fortunately, many larger organizations have already put controls in place to address access to this service,” he continued.
Browser Bugs Galore
Several patches in Microsoft’s batch of critical fixes address vulnerabilities in Web-related components of Windows. Five of the nine critical vulnerabilities in this week’s release are found in the Internet Explorer browser. Three other IE flaws are considered less serious.
Three of the eight holes in IE had been disclosed prior to Tuesday’s release, reported Symantec. Four others create a way for attackers to install malicious code on target computers. Three of the eight can be exploited to gain access to a computer through lower IE security settings.
“Last month, a different browser vulnerability was released every day,” remarked Qualys’ Bitle. “Even with eight browser vulnerabilities addressed this month, we anticipate a number of browser-related vulnerabilities [will be] addressed within the next couple of months. There is no way they could have all been addressed in this release.”
Plugging Holes
Bulletins released to plug holes in Microsoft Office included MS06-048, which addresses a PowerPoint vulnerability. MS06-047 fixes a critical bug in Visual Basic. Microsoft said the Visual Basic flaw could be exploited by crafting a malicious document that supports the application’s scripting, putting Word, Excel and PowerPoint users at risk.
The summer months saw 63 vulnerabilities in Microsoft software, breaking previous three-month records. Bitle sees this as a trend toward increasing the size of the fixes released each month. Another trend, he said, is the rise of client-side exploits, also known as “user interaction attacks.”
“This trend highlights the need to take seriously the requirement across an organization for user training,” Bitle said. “Typically, the weakest link in the security chain is end-users. Organizations need to educate employees on what is acceptable use and what they should be doing on [their] work PC.”