X

Seven Microsoft patches we want today (but won't get)

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

This month Microsoft did not release any patches within its March 2007 security bulletin, though it did update its Malicious Software Removal Tool. Where we'd ordinarily call your attention to important patches from Microsoft, we thought we'd highlight a few important open vulnerabilities.

Four are of high-level concern, two of medium concern and one of low concern. Four flaws affect Internet Explorer, one affects Windows and two affect Office. The oldest flaw here dates back to July 2006. In case you missed any previous Microsoft security patches for Windows and Office software, all are available via Microsoft Update.

CVE-2007-1091: High concern
Titled "Internet Explorer onUnload flaw (1091)," this flaw affects users of Internet Explorer, version 7 and earlier, and dates from February 27. Successful exploitation could lead to a denial of service (crash) and can allow remote access.

CVE-2006-6696: High concern
Titled "Windows flaw in WINSRV.DLL (6696)," this flaw affects users of Microsoft Windows 2000, XP, 2003, and Vista, and dates from December 22, 2006. Successful exploitation could lead to elevation of privilege.

CVE-2007-0870: High concern
Titled "Microsoft Word 2000 flaw (0870)," this flaw affects users of Microsoft Word 2000 and dates from February 12. Successful exploitation could lead to remote code execution.

CVE-2007-0913: High concern
Titled "Unspecified PowerPoint flaw (0913)," this flaw affects users of Microsoft PowerPoint and dates from February 13. Successful exploitation could lead to elevation of privilege.

CVE-2006-4219: Medium concern
Titled "Terminal Services COM object flaw in Internet Explorer 6 (4219)," this flaw affects users of Internet Explorer 6 and dates from August 18, 2006. Successful exploitation could lead to a denial of service (crash) and can allow remote access.

CVE-2006-3360: Medium concern
Titled "COM object flaw in Internet Explorer 6 (3360)," this flaw affects users of Internet Explorer 6 and dates from August 18, 2006. Successful exploitation causes a denial of service (crash) or possibly the execution of malicious code.

CVE-2006-2658: Low concern
Titled "Internet Explorer 'FolderItem' Object Access Remote Denial of Service Vulnerability (2658)," this flaw affects users of Internet Explorer 6 and dates from July 18, 2006. Successful exploitation causes a denial of service (crash) or possibly the execution of malicious code.