As expected, Microsoft released three security fixes on 12
September for flaws in components of Windows and Office. One
security expert recommended IT administrators use the lighter
patching load as an opportunity to tighten defenses against
ever-increasing zero-day threats.
The only critical update this month is
MS06-054, which addresses a remote code
execution vulnerability in Microsoft Publisher, part of the
Microsoft Office. The flaw surfaces when the program handles
malformed PUB files.
"If a user were logged on with administrative user rights, an
attacker who successfully exploited this vulnerability could take
complete control of an affected system," Microsoft officials said.
"An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights."
The flaw affects Office 2000 Service Pack 3, Office XP Service
Pack 3; Office 2003 Service Pack 1; Office 2003 Service Pack 2; and
Microsoft Publisher 2000, 2002 and 2003.
Meanwhile, Microsoft released
MS06-052, an "important" update for
Pragmatic General Multicast (PGM), a multicast protocol within
Windows used to detect, report on and request retransmission of
incomplete or lost inbound data.
Microsoft officials said attackers could exploit a remote code
execution flaw in the program to send a specially-crafted multicast
message to an affected system to launch malicious code. The problem
is that the application fails to properly bounds check
externally-supplied data. Windows XP Service Pack 1 and Windows XP
Service Pack 2 are affected.
Finally, Microsoft released
MS06-053, a "moderate" fix for an
information disclosure vulnerability in the Windows Indexing
Service. The flaw is in how the program handles query
validations.
"The vulnerability could allow an attacker to run client-side
script on behalf of a user," Microsoft officials said. "The script
could spoof content, disclose information, or take any action that
the user could take on the affected Web site."
The flaw affects:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 1
- Windows XP Service Pack 2
- Windows XP Professional x64 Edition
- Windows Server 2003
- Windows Server 2003 Service Pack 1
- Windows Server 2003 (Itanium)
- Windows Server 2003 SP1 (Itanium)
- Windows Server 2003 x64 Edition
Chris Andrew, VP of security technologies for vulnerability
management firm Patchlink Corp., suggested IT administrators use
the lighter load this month to harden their defenses against the
growing array of zero-day threats. He noted that attackers are
actively exploiting a Microsoft Word flaw
that wasn't patched this month, and that zero-day threats will
keep increasing.
"There's a lot they could be doing to lock down their network,
like restricting user rights and making sure security policies are
well organised," he said.