Microsoft Fixes 23 Security Flaws

Microsoft Corp. today released free software updates to fix nearly two dozen security holes in its Windows operating system and Microsoft Office products. At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned.
Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild. As usual, updates are available via Microsoft Update (Internet Explorer required) or through automatic updates.
Microsoft typically lists its security advisories each month in the order of most to least severe, and the first flaw detailed in today's patch bundle fixes a problem in the Windows "server service," which facilitates file-sharing among Windows systems that reside on the same network. This highly "wormable" bug is mainly a big deal for businesses, since it is most severe on Windows 2000 systems (most common in corporate environments). Also, many Internet service providers filter file-sharing requests between customers, but file-sharing is almost always turned on inside corporate networks.
The SANS Internet Storm Center, which was credited in part with the discovery of this flaw, reported evidence of it being exploited publicly as early as June 30. According to SANS, Microsoft replied that it was already aware of the flaw at that time. I understand the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) is set to release more information about this flaw later today. Of course, Security Fix will update this blog in the event that the DHS advisory adds any new wrinkles.
The next most serious advisory details two very dangerous vulnerabilities resident in Windows 2000, Windows XP and Windows Server 2003 that attackers could exploit merely by inducing a user to visit a malicious Web site. Microsoft said these flaws also could be exploited when a user opens a specially crafted e-mail or views one in the e-mail preview pane.
It wouldn't be a Patch Tuesday without a huge rollup for Microsoft's default Web browser. The IE patch fixes a total of eight vulnerabilities, five of which are especially serious -- depending on which version of the browser you're using and which version of Windows. One of the IE glitches, a problem with the way file transfers work, was originally reported to Microsoft in 2004.
Microsoft also fixed three critical vulnerabilities in versions of its Office software, including two that are actively being exploited to break into and steal information from vulnerable computers. One fixes Office 2000, Office XP and Office 2003, as well Microsoft Office and Powerpoint versions for Mac OS X (see the advisory for Mac Office download links). The second update addresses flaws in Office 2000 and XP, as well as Microsoft Project, Visio, Works and Visual Basic (see the advisory for links to those individual products).
Keep in mind that if you are using Office 2000 you will not be able to get those fixes through Microsoft Updates or through automatic updates. Office 2000 users will need to visit Microsoft's Office site and click on the "check for updates" link in the upper right corner of the screen. Office 2000 users who do not have their installation CD handy should be able to install the updates by choosing "no" at the "Do you have your Office product CD?" prompt.