X

Microsoft plugs 21 security holes

All but two of the 21 Windows, Office and Exchange flaws could let an intruder run code on a compromised computer.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
3 min read
Microsoft has issued patches for 21 flaws in its software, saying all but two of them could let an intruder run malicious code on a compromised computer.

The company sent out a dozen security bulletins on Tuesday as part of its regular monthly patch cycle. Eight of the bulletins are labeled "critical," which is Microsoft's highest risk rating. They cover problems with Windows, Internet Explorer, Word, PowerPoint and Exchange Server.

The number of vulnerabilities mean this is Microsoft's largest clutch of patches to date, security experts said.

"There has never been a Microsoft security update to address 21 issues and never one with 19 potential remote execution flaws," said Amol Sarwate, the manager of the Vulnerability Management Lab at flaw management specialist Qualys.

The most important bulletin, MS06-025, is a fix for routing and remote access vulnerabilities in Windows, said Jonathan Bitle, a senior product manager at Qualys.

"These (vulnerabilities) take advantage of two listening services that run on the host and listen for traffic coming in through ports that are frequently utilized," Bitle said. "While a lot of these (other Microsoft) remote execution flaws require interaction (by the user), this one does not. A user doesn't have to click on a link or open an attachment."

The routing and remote access are deemed critical for systems running Windows 2000, and "important"--the second risk ranking--for Windows XP with Service Pack 1 or 2, and for Windows Server 2003 with Service Pack 1.

Qualys is also suggesting that IT managers should jump on another patch, for an issue in Microsoft Exchange Server running Outlook Web Access (MS06-029), even though Microsoft has tagged it only as important.

"If a user checks their e-mail using Outlook Web Access, all they need to do is just open an e-mail in IE and it will cause the script in their e-mail to be remotely executed," Sarwate said.

Over the next days and weeks, IT administrators should be busy deploying the bundle of patches across their network, experts said.

"There are a couple different vulnerabilities. Some are IE browser problems, some affect the Media Player, ART imaging and JScript," said Chris Andrew, vice president of security technologies at PatchLink. "IT managers will probably have to patch every single desktop."

Four of the critical updates deal with security holes that could allow remote code execution in all versions of Windows. One is a cumulative update for the Internet Explorer component (MS06-021), affecting versions 5.01 and 6 of the Web browser. Another (MS06-024) deals with a problem with Windows Media Player, versions 7.1, 9 and 10. The others cover vulnerabilities in Microsoft Jscript (MS06-023) and ART image rendering (MS06-022).

Another critical Windows bulletin, related to bugs in its graphics rendering engine (MS06-026) affects Windows 98, Windows 98 Second Edition (SE) and Windows Millennium Edition (ME) only.

Two updates affecting Office were also given the highest risk rating. A vulnerability in Word (MS06-027) also hits Microsoft Works. The bulletin for a flaw in PowerPoint (MS06-028) replaces an earlier patch.

Microsoft also issued a fix for an important flaw in Windows' Server Message Block (SMB) component (MS06-030) that could enable attackers to elevate their level of system privileges. The "moderate" bulletins covered an RPC Mutual Authentication (MS06-031) problem and a TCP/IP problem (MS06-032) in Windows.