Microsoft releases Office, Windows fixes

This month's only critical fix is for a flaw in Microsoft Publisher, a component of Office. Attackers could exploit the flaw to take control of vulnerable machines.

This Content Component encountered an error

As expected, Microsoft released three security fixes Tuesday for flaws in components of Windows and Office. One security expert recommended IT administrators use the lighter patching load as an opportunity to tighten defenses against ever-increasing zero-day threats.

The only critical update this month is MS06-054, which addresses a remote code execution vulnerability in Microsoft Publisher, part of Microsoft Office. The flaw surfaces when the program handles malformed PUB files.

More on patches
Three patch updates planned for Windows, Office

Patch management tips
"If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft officials said. "An attacker could then install programs; view, change or delete data; or create new accounts with full user rights."

The flaw affects Office 2000 Service Pack 3, Office XP Service Pack 3; Office 2003 Service Pack 1; Office 2003 Service Pack 2; and Microsoft Publisher 2000, 2002 and 2003.

Meanwhile, Microsoft released MS06-052, an "important" update for Pragmatic General Multicast (PGM), a multicast protocol within Windows used to detect, report on and request retransmission of incomplete or lost inbound data.

Microsoft officials said attackers could exploit a remote code execution flaw in the program to send a specially crafted multicast message to an affected system to launch malicious code. The problem is that the application fails to properly bounds check externally supplied data. Windows XP Service Pack 1 and Windows XP Service Pack 2 are affected.

Finally, Microsoft released MS06-053, a "moderate" fix for an information disclosure vulnerability in the Windows Indexing Service. The flaw is in how the program handles query validations.

"The vulnerability could allow an attacker to run client-side script on behalf of a user," Microsoft officials said. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site."

The flaw affects:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
  • Windows XP Professional x64 Edition
  • Windows Server 2003
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 (Itanium)
  • Windows Server 2003 SP1 (Itanium)
  • Windows Server 2003 x64 Edition

    Chris Andrew, vice president of security technologies at Scottsdale, Ariz.-based vulnerability management firm Patchlink Corp., suggested IT administrators use the lighter load this month to harden their defenses against the growing array of zero-day threats. He noted that attackers are actively exploiting a Microsoft Word flaw that wasn't patched this month, and that zero-day threats will keep increasing.

    "There's a lot they could be doing to lock down their network, like restricting user rights and making sure security policies are well-organized," he said.

    This article originally appeared on SearchSecurity.com.

  • Dig deeper on Data centers and virtualization for Small Business

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCompliance

    SearchHealthIT

    SearchCloudComputing

    SearchMobileComputing

    SearchDataCenter

    Close