Microsoft patches seven July security holes, five critical

Microsoft released seven security updates on 11 July-- five of them critical -- to fix vulnerabilities in Office, Excel, Windows and Internet Information Services (IIS).

In its July security bulletins, the software giant warned that attackers could exploit the most serious flaws to take complete control of affected machines and install programs; view, change or delete data; or create new accounts with full user rights.

More on Microsoft's July 2006 security bulletins In a special partnership with Microsoft, Christopher Budd, security program manager with the Microsoft Security Response Center (MSRC), offers SearchSecurity.com readers his exclusive detailed analysis of the software giant's monthly security bulletins. Inside MSRC: Debunking Excel exploits

MS06-037 is a critical bulletin that Microsoft recommends IT administrators make the month's top patching priority. It patches eight different flaws in Microsoft Excel, including a zero-day flaw that attackers have already exploited.

The other critical bulletins are:

• MS06-039, which addresses a remote code execution flaw in Microsoft Office. Attackers could exploit the flaw by constructing a specially crafted .png file, which could then permit them to launch malicious code.

• MS06-038, which addresses three Microsoft Office flaws that appear when malformed strings and properties are parsed by any of the affected Office applications. "Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious Web site," Microsoft said. "An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution."

• MS06-036, which addresses a buffer overrun flaw in Windows' Dynamic Host Configuration Protocol (DHCP) client service. Attackers could exploit the flaw to take complete control of the affected system, Microsoft said.

• MS06-035, which addresses two Windows flaws: a mailslot heap overflow vulnerability in a server driver that could allow an attacker to take complete control of the affected system; and a server message block information disclosure flaw in the server service that could allow an attacker to view fragments of memory used to store server message block traffic during transport.

Microsoft also released two security bulletins it rated as important. They are:

• MS06-034, which addresses a remote code execution flaw in Internet Information Services (IIS). "An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

• MS06-033, which addresses an information disclosure flaw attackers could exploit to bypass ASP.Net security and gain unauthorized access to objects in the application folders explicitly by name.

As it does every month, Microsoft also released an updated version of its Windows Malicious Software Removal Tool and will host a webcast Wednesday to address any questions IT administrators have regarding this month's updates.