|
Microsoft Fixes 23 Security Vulnerabilities with 12 Patches
Published: August 9, 2006
by Alex Woodie
It's a full moon, another month has passed, and Microsoft has issued its regularly scheduled round-up of patches to fix security vulnerabilities in its products. August's Patch Tuesday yielded a bumper crop, including 12 patches--nine of them critical--fixing 23 separate vulnerabilities, including a serious remote code execution issue with Windows Server service that is currently being exploited. Other fixes target problems that run the gamut of Microsoft products, including Office, Internet Explorer, the TCP/IP stack, and the Windows kernel itself.
Of all the patches issued yesterday, Microsoft Security Bulletin MS06-040, which fixes the Buffer Overrun in Server Service vulnerability in Windows XP and 32- and 64-bit versions of Windows Server 2003, is likely the most important, says Qualys, a Redwood Shores, California, provider of on-demand vulnerability and compliance management services.
The Buffer Overrun in Server Service vulnerability is the only vulnerabilities fixed yesterday that isn't a client-side problem and doesn't require user intervention, according to Amol Sarwate, director of the qualys vulnerability lab. The potential danger posed by the flaw is potentially mitigated by the fact that it takes advantage of file and print sharing services that security-savvy organizations will have turned off, Sarwate says.
Of course, not every organization is security-conscious, and not every organization will apply the updates, which could be unfortunate in the case of Security Bulletin MS06-040, which is one of three vulnerabilities addressed by Microsoft yesterday that is being actively exploited on the Web.
The others patches that fix problems that are being exploited include Security Bulletin MS06-048, which fixes a problem in PowerPoint that could allow an attacker to take control of a computer if a user opens a malformed PPT file, and Security Bulletin MS06-042, a cumulative update for Internet Explorer that addresses eight separate security problems.
Yesterday's patches continue the trend of finding and fixing problems in client-side software, Sarwate says. However, the move away from servers among hackers and others that search for vulnerabilities doesn't necessarily reduce the danger organizations face. "It's a difficult thing to say. They're not less dangerous because for client-side issues, there's no central place for monitoring users. You can't just use a firewall [to restrict activity]. I would be very careful," he says.
In particular, the increasing use of "fuzzers" and other tools that help hackers find and exploit vulnerabilities, combined with social engineering techniques to gain trust and access, makes Sarwate concerned. "The key is user education, telling them what to open, and what not to open," he says.
Microsoft customers are encouraged to apply the new patches immediately. More information on yesterday's patches can be found at www.microsoft.com/technet/security/bulletin/ms06-aug.mspx. Internet Explorer users can download the updates at update.microsoft.com; non-IE users are encouraged to go to the Microsoft Download Center to find and download the updates.
|
