Another hefty patch month for Microsoft

Count 'em: A dozen security updates, nine rated "critical," covering 20 holes in Windows and three in Office.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
For the third straight month, it's a busy "Patch Tuesday."

As part of its monthly security update cycle, Microsoft on Tuesday released a dozen security bulletins. Nine of them are tagged critical, the company's highest severity rating. The alerts give details of 20 flaws in Windows and three in Office, all of which Microsoft has now fixed.

Several of the issues, such as a vulnerability in PowerPoint, have already been publicly reported and are being actively used in cyberattacks. However, the bundle of updates also covers bugs that Microsoft discovered itself, the company said. These issues have not been publicly disclosed and are not described in the bulletins.

"Today, Microsoft patched 23 vulnerabilities, the highest number since their monthly patch program started," Monty Ijzerman, a senior manager at McAfee's Avert Labs, said in a statement. Of those flaws, 11 were publicly known or exploited before Microsoft provided fixes, he said.

Of specific interest is a remotely exploitable vulnerability in Windows, which Microsoft reports is already being used in attacks on PCs. The problem lies in a Windows service that provides support for networking features such as file sharing and printer sharing, the company said in security bulletin MS06-040.

"This is the one that we're encouraging people to prioritize and put on the top of the stack for their testing and deployment," Christopher Budd, security program manager at Microsoft, said in an interview. If immediate patching is not possible, Microsoft suggests using its workarounds, he said.

The flaw addressed in MS06-040 is the only one in Microsoft's Tuesday patch bunch that could let an anonymous attacker remotely commandeer a Windows PC without any user interaction, Budd said. Microsoft has seen a "very limited attack" that already exploited this flaw, he said.

The infamous MSBlast worm, which wreaked havoc in 2003, exploited a similar flaw, related to a Windows component called remote procedure call.

Last month, Microsoft patched a potential Windows worm hole when it released seven bulletins tackling 18 security flaws in Windows and Office. The patching rush started in June, when it released 12 bulletins. It came after a patch lull, with only three alerts in May, five in April and two in March.

Another of this month's flaws that could be exploited without any user interaction lies in the Windows Domain Name System (DNS) client, which is used to help translate URLs into numerical IP addresses. However, an attacker has to be on the same subnetwork as the intended target or must trick the user into making a DNS request to a malicious server, Microsoft said in bulletin MS06-041.

The bulk of the problems addressed by the August patches could be used for attacks via the Web or e-mail. They include security holes in the Internet Explorer Web browser, the Outlook Express e-mail client and other Windows and Office components.

For example, MS06-042 delivers fixes for eight IE bugs, and the user has to be duped into visiting a malicious Web site for attacks based on the holes to succeed, Microsoft said.

While it is a busy Patch Tuesday, Microsoft has not addressed all known flaws in its products. For example, a variant of a bug patched last month in a Windows component called "mailslot" is still without a fix. Proof-of-concept code that exploits this flaw was posted to the Net last month.

Microsoft recommends that people install the critical fixes immediately. The updates are available via the Windows Update and Automatic Updates tools. Temporary workarounds are outlined in the security bulletins for those who can't immediately apply the patches.