Article

Microsoft releases Office, Windows fixes

Bill Brenner, Senior News Writer
As expected, Microsoft released three security fixes Tuesday for flaws in components of Windows and Office. One security expert recommended IT administrators use the lighter patching load as an opportunity to tighten defenses against ever-increasing zero-day threats.

The only critical update this month is

    Requires Free Membership to View

    Login

MS06-054, which addresses a remote code execution vulnerability in Microsoft Publisher, part of Microsoft Office. The flaw surfaces when the program handles malformed PUB files.

More on patches
Three patch updates planned for Windows, Office

Patch management tips
"If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft officials said. "An attacker could then install programs; view, change or delete data; or create new accounts with full user rights."

The flaw affects Office 2000 Service Pack 3, Office XP Service Pack 3; Office 2003 Service Pack 1; Office 2003 Service Pack 2; and Microsoft Publisher 2000, 2002 and 2003.

Meanwhile, Microsoft released MS06-052, an "important" update for Pragmatic General Multicast (PGM), a multicast protocol within Windows used to detect, report on and request retransmission of incomplete or lost inbound data.

Microsoft officials said attackers could exploit a remote code execution flaw in the program to send a specially crafted multicast message to an affected system to launch malicious code. The problem is that the application fails to properly bounds check externally supplied data. Windows XP Service Pack 1 and Windows XP Service Pack 2 are affected.

Finally, Microsoft released MS06-053, a "moderate" fix for an information disclosure vulnerability in the Windows Indexing Service. The flaw is in how the program handles query validations.

"The vulnerability could allow an attacker to run client-side script on behalf of a user," Microsoft officials said. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site."

The flaw affects:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
  • Windows XP Professional x64 Edition
  • Windows Server 2003
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 (Itanium)
  • Windows Server 2003 SP1 (Itanium)
  • Windows Server 2003 x64 Edition

    Chris Andrew, vice president of security technologies at Scottsdale, Ariz.-based vulnerability management firm Patchlink Corp., suggested IT administrators use the lighter load this month to harden their defenses against the growing array of zero-day threats. He noted that attackers are actively exploiting a Microsoft Word flaw that wasn't patched this month, and that zero-day threats will keep increasing.

    "There's a lot they could be doing to lock down their network, like restricting user rights and making sure security policies are well-organized," he said.

    This article originally appeared on SearchSecurity.com.


    • Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top