News Stay informed about the latest enterprise technology news and product updates.

Microsoft patches seven security holes, five critical

The software giant's monthly batch of fixes includes critical repairs for Internet Explorer and Windows' networking features, plus "important" bulletins for IIS.

Microsoft released seven security updates Tuesday -- five of them critical -- to fix vulnerabilities in Office,...

Excel, Windows and Internet Information Services (IIS).

More on patches

Microsoft to release 12 security fixes

Windows patch problems to force out-of-cycle repair

In its July security bulletins, the software giant warned that attackers could exploit the most serious flaws to take complete control of affected machines and install programs; view, change or delete data; or create new accounts with full user rights.

MS06-037 is a critical bulletin that Microsoft recommends IT administrators make the month's top patching priority. It patches eight different flaws in Microsoft Excel, including a zero-day flaw that attackers have already exploited.

The other critical bulletins are:

  • MS06-039, which addresses a remote code execution flaw in Microsoft Office. Attackers could exploit the flaw by constructing a specially crafted .png file, which could then permit them to launch malicious code.

  • MS06-038, which addresses three Microsoft Office flaws that appear when malformed strings and properties are parsed by any of the affected Office applications. "Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious Web site," Microsoft said. "An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution."

  • MS06-036, which addresses a buffer overrun flaw in Windows' Dynamic Host Configuration Protocol (DHCP) client service. Attackers could exploit the flaw to take complete control of the affected system, Microsoft said.

  • MS06-035, which addresses two Windows flaws: a mailslot heap overflow vulnerability in a server driver that could allow an attacker to take complete control of the affected system; and a server message block information disclosure flaw in the server service that could allow an attacker to view fragments of memory used to store server message block traffic during transport.

    Microsoft also released two security bulletins it rated as important. They are:

  • MS06-034, which addresses a remote code execution flaw in Internet Information Services (IIS). "An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

  • MS06-033, which addresses an information disclosure flaw attackers could exploit to bypass ASP.Net security and gain unauthorized access to objects in the application folders explicitly by name.

    As it does every month, Microsoft also released an updated version of its Windows Malicious Software Removal Tool and will host a webcast Wednesday to address any questions IT administrators have regarding this month's updates.

    This article originally appeared on

  • Dig Deeper on Small-business IT strategy

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.