Microsoft delivers 10 patches and tool update

Microsoft released six critical patches Tuesday and updated a software tool. Two moderate fixes and another rated as low were also released as part of Microsoft's monthly patch announcement.

But due to some technical difficulties, the software giant was unable to push its updates out via the following automated tools: Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS) and Windows Update v6.

"To be clear, it's a delay due to the networking for these systems ... There are no issues with the security updates themselves," said Craig Gehre of the Microsoft Security Response Center (MSRC). "Also," he said in the MSRC blog, "this issue doesn't affect customers using Software Update Services (SUS), Windows Update v4 or Office Update."

He said those affected by the delay can download and deploy the patches manually by visiting Microsoft's TechNet Web site.

"Technical teams are engaged and have been working around the clock to resolve this problem," he added.

October bulletins summarized
Critical updates included fives fixes for vulnerabilities that could allow remote code execution in Windows Shell, PowerPoint, Excel, Word and XML Core Services, and one critical update for Server Service, which could allow a denial of service.

Two of the critical updates in PowerShell and Power Point address outstanding vulnerabilities that are already widely known among IT professionals.

Security experts said all six critical patches are important to implement. Three of them address outstanding zero-day exploits, MS06-057, MS06-058 and MS06-060, so they might be a higher priority because hackers already know how to take advantage of the flaws, according to Jonathan Bitle, manger of technical accounts at Qualys Inc., a vulnerability management and policy compliance company based in Redwood Shores, Calif.

One important patch that addresses a denial-of-service vulnerability in Server Service was also released.

There were also two moderate fixes: one for a vulnerability in ASP.NET that could cause information disclosure and one in Windows Object Packager that could allow a remote code execution. There was fix with a low rating that fixed vulnerabilities in TCP/IP, which could allow denial of service.

All in all, 26 different vulnerabilities were addressed by the 10 patches, Bitle said.

The critical patches include: MS06-057, which addresses a remote code execution vulnerability in Windows Shell because of improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control.

MS06-058, which addresses remote code execution vulnerabilities in PowerPoint.. It includes object pointer, data record, record memory and malformed record vulnerabilities.

MS06-059, which addresses three Excel records vulnerabilities and one Lotus 1-2-3 file vulnerability.

MS06-060, which addresses four Word vulnerabilities including one vulnerability for Word for Mac, one for Word, one malformed stack vulnerability for Word and one mail merge vulnerability.

MS06-061, which could allow for information disclosure because the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side redirect and another that exists in XSLT processing that could allow remote code execution on an affected system.

MS06-062, which addresses four separate Office vulnerabilities including improper memory access, malformed chart record, malformed record memory corruption and smart tag parsing.

The one important patch is:

MS06-063, which addresses a denial of service vulnerability that exists in the Server Service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.

The two moderate patches are:

MS06-056, which addresses a cross-site scripting vulnerability exists in a server running a vulnerable version of the .Net Framework 2.0 that could inject a client side script in the user's browser.

MS06-065, which addresses remote code execution vulnerability exists in Windows Object Packager because of the way that file extensions are handled.

The one low security patch is:

MS06-064, which addresses a denial of service that exists in the IPv6 Windows implementation of the Internet Control Message Protocol.

As is the company's usual practice, users can go to the Information about Microsoft October Security Bulletins site and participate in a Web cast during which they can ask questions about the flaws and the patches.