Microsoft Fixes 23 Security Flaws

Microsoft Corp. today released free software updates to fix nearly two dozen security holes in its Windows operating system and Microsoft Office products. At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned.
Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild. As usual, updates are available via Microsoft Update (Internet Explorer required) or through automatic updates.
Microsoft typically lists its security advisories each month in the order of most to least severe, and the first flaw detailed in today's patch bundle fixes a problem in the Windows "server service," which facilitates file-sharing among Windows systems that reside on the same network. This highly "wormable" bug is mainly a big deal for businesses, since it is most severe on Windows 2000 systems (most common in corporate environments). Also, many Internet service providers filter file-sharing requests between customers, but file-sharing is almost always turned on inside corporate networks.
The SANS Internet Storm Center, which was credited in part with the discovery of this flaw, reported evidence of it being exploited publicly as early as June 30. According to SANS, Microsoft replied that it was already aware of the flaw at that time. I understand the Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) is set to release more information about this flaw later today. Of course, Security Fix will update this blog in the event that the DHS advisory adds any new wrinkles.
The next most serious advisory details two very dangerous vulnerabilities resident in Windows 2000, Windows XP and Windows Server 2003 that attackers could exploit merely by inducing a user to visit a malicious Web site. Microsoft said these flaws also could be exploited when a user opens a specially crafted e-mail or views one in the e-mail preview pane.
It wouldn't be a Patch Tuesday without a huge rollup for Microsoft's default Web browser. The IE patch fixes a total of eight vulnerabilities, five of which are especially serious -- depending on which version of the browser you're using and which version of Windows. One of the IE glitches, a problem with the way file transfers work, was originally reported to Microsoft in 2004.
Microsoft also fixed three critical vulnerabilities in versions of its Office software, including two that are actively being exploited to break into and steal information from vulnerable computers. One fixes Office 2000, Office XP and Office 2003, as well Microsoft Office and Powerpoint versions for Mac OS X (see the advisory for Mac Office download links). The second update addresses flaws in Office 2000 and XP, as well as Microsoft Project, Visio, Works and Visual Basic (see the advisory for links to those individual products).
Keep in mind that if you are using Office 2000 you will not be able to get those fixes through Microsoft Updates or through automatic updates. Office 2000 users will need to visit Microsoft's Office site and click on the "check for updates" link in the upper right corner of the screen. Office 2000 users who do not have their installation CD handy should be able to install the updates by choosing "no" at the "Do you have your Office product CD?" prompt.

Microsoft Patches Newest 'Dirty Dozen'

Microsoft (Quote, Chart)released 12 patches aimed at resolving multiple security risks discovered in its operating system and popular Office suite.
Nine of the 12 security updates were deemed "critical," affecting various Windows components, as well as two Office applications previously known to be vulnerable.
The remaining three patches involved "important" security issues, such as remote code execution or elevated user privileges.
Several critical patches revisited flaws previously discovered in applications, such as PowerPoint, Outlook Express and Internet Explorer.
Another patch addressed flaws in a core Windows component already exploited in the "wild," according to a security researcher.
Steve Manzuik, research manager of eEye Digital Security, called MS06-40 important because the flaw in the Windows Services could allow attackers to take control of systems running Windows XP, Windows Server 2003 and Windows 2000.
Internet Explorer was the subject of a cumulative update answering eight critical flaws affecting IE 5.01 and IE 6 for Windows XP, Windows 2003 and Windows 2000.
The vulnerabilities include remote code execution, raised user privileges and information disclosure.
Today's patch MS06-42 replaces the MS06-021 security bulletin issued April 11.
The new patch re-enables ActiveX control handling disabled by the previous security bulletin.
A fix for a previously reported PowerPoint vulnerability was also part of the dozen patches released today.
Today's patch, MS06-048, replaces MS06-38, a security bulletin released in July.
The new patch is of critical importance for PowerPoint 2000 users, as well as for XP and 2003 PowerPoint systems.
Those using PowerPoint for the Mac should also download the patch, according to Microsoft.
A flaw in Outlook Express 6 for XP Pro and XP Service Pack 2, as well as Server 2003, could allow a remote attacker to run malicious code.
The MS06-043 critical patch resolves the problem, according to the software maker.
Rounding out Microsoft's "Patch Tuesday" event were two security updates ranked "important" for Windows users.
This month's dozen patches follows seven patches released in July to fix more than 10 security problems