Patch Tuesday Yields Banner Crop of 12 Fixes, 8 of Them Critical

by Alex Woodie

Microsoft made fixes available for 12 new security vulnerabilities yesterday in the biggest Patch Tuesday event in recent memory. Nine of the new security bulletins directly affect the Windows operating system, with the rest affecting the .NET framework, Windows Media Player and MSN Messenger, and the combination of Microsoft's Portal and Office. Microsoft said eight of these vulnerabilities are critical, meaning they pose the highest security threats, and should be patched immediately.

Yesterday's bounty brought at least six new patches for flaws affecting Windows Server 2003, Microsoft's flagship server operating system, and six more for Windows XP Service Pack 2, the latest security-related release of the client OS. Microsoft even found time to fix six new flaws in the aging Windows NT 4.0, support for which was supposed to have ended on December 31.

While many news sites reported there were 13 new patches, there were really only 12, provided you could get to the Web site to download them. At several times yesterday, Microsoft's TechNet Security Web site yielded the dreaded "404-Page Not Found" message instead of the specific security bulletins. The problem was soon fixed. A company spokesperson said Microsoft was not aware of any problems with its Web site.

Here's a rundown on the 12 security flaws and patches that Microsoft announced yesterday:

Security Bulletin MS05-004 describes an "important" canonicalization vulnerability in ASP.NET that could allow an attacker to bypass the security of a Web site and gain unauthorized access to the system.

Security Bulletin MS05-005 describes a "critical" buffer overrun vulnerability that could allow remote code execution in Office, Works, Project, and Visio.

Security Bulletin MS05-006 describes a "moderate" cross-site scripting and spoofing vulnerability in SharePoint Services for Windows Server 2003 that could enable an attacker to convince a user to run a malicious script.

Security Bulletin MS05-007 describes an "important" named-pipe vulnerability in Windows XP Service Pack 1 and SP2 and Windows XP 64-Bit Edition SP1 for Itanium that could allow attackers to remotely read the user names of users who have an open connection to an available shared resource.

Security Bulletin MS05-008 describes an "important" privilege elevation vulnerability that could allow attackers to take complete control of computers running Windows Server 2003, Windows Server 2003 for Itanium, Windows XP SP1 and SP2, 64-bit Itanium versions of Windows XP, and Windows 2000 SP3 and SP4.

Security Bulletin MS05-009 fixes a "critical" PNG processing vulnerability in Windows Media Player 9 Series and Windows Messenger version 5.0 that could lead to remote code execution.

Security Bulletin MS05-010 describes a "critical" vulnerability in the License Logging service of Windows Server 2003, Windows Server 2003 for Itanium, Windows NT Server 4.0 SP6a, NT 4.0 Terminal Server SP6, and Windows 2000 Server SP3 and SP4 that could allow an attacker to gain complete control over the affected server.

Security Bulletin MS05-011 fixes a "critical" vulnerability with the Server Message Block (SMB) protocol that could allow remote code execution on Windows Server 2003, Windows Server 2003 for Itanium, Windows 2000 Server SP3 and SP4, Windows XP SP1 and SP2, Windows XP 64-Bit Edition SP1 for Itanium, and Microsoft Windows XP 64-Bit Edition Version 2003 for Itanium.

Security Bulletin MS05-012 describes "critical" OLE and COM vulnerabilities that span many different Microsoft products, including Windows Server 2003, Exchange Server 2002 SP3, Windows XP SP2, and recent versions of the Office suite, and could enable an attacker to take complete control of an affected system.

Security Bulletin MS05-013 describes a "critical" vulnerability in the DHTML Editing Component ActiveX control that could allow remote code execution Windows Server 2003, Windows Server 2003 Itanium, Windows XP SP1 and SP2, two 64-bit versions of XP for Itanium, Windows 2000 SP3 and SP4, and Windows 98, Windows ME, and Windows SE.

Security Bulletin MS05-014 fixes a "critical" privilege elevation vulnerability in Internet Explorer 6.0 that could allow an attacker to gain complete control over an affected system.

Security Bulletin MS05-015 addresses a "critical" Hyperlink Object Library vulnerability in Windows Server 2003, the Itanium version of Windows Server 2003 and Windows XP, Windows XP SP1 and SP2, Windows 2000 SP3 and SP4, and Windows 98, ME, and SE.

Microsoft will discuss all of these patches and vulnerabilities in a special two-hour Webcast today at 11:00 a.m. PT. You can register for the Webcast on Microsoft's TechNet Security Web page.