As expected, Microsoft has released six patch bulletins -- five
of them critical -- to fix flaws in Internet Explorer and several
components of the Windows operating system. Attackers have
already exploited some of the flaws in
recent weeks.
Microsoft urged customers to install the patches immediately.
Online outlaws could exploit the most critical flaws to take
control of targeted machines. Once hijacked, these machines could
be used to install programs; view, change, or delete data; or
create new accounts with full user rights, the software giant
warned.
In a message to customers of its DeepSight Threat Management
Service, Cupertino, Calif.-based antivirus giant Symantec Corp.
said the two most critical bulletins are
MS06-070, which addresses a memory
corruption flaw in Windows' Workstation service; and
MS06-071, which addresses a flaw in the
XMLHTTP ActiveX control within Microsoft XML Core Services.
The first flaw could be exploited by remote attackers on Windows
2000, Windows XP and possibly Windows Server 2003 systems, Symantec
said, adding that a wide variety of component technologies and
services are impacted by this issue, making the environment ideal
for a potential worm attack. Symantec said the XML Core Services
flaw is also serious because all supported versions of Internet
Explorer (IE) make use of the program, including the
recently-released IE 7.
"Many of the issues addressed in this month's batch of patches
attend to publicly exploited issues," Alfred Huger, senior director
of development for Symantec Security Response, said in a statement.
"Attackers are exploiting vulnerabilities with increasing speed,
and it's imperative that computer users protect themselves by
installing updated software patches as quickly as possible."
This month's other critical bulletins are:
MS06-067, a cumulative update for IE that
fixes several flaws. Some of the flaws are in DirectAnimation
ActiveX controls and could be exploited if the ActiveX controls
are passed unexpected data. "An attacker could exploit these
vulnerabilities by constructing a specially crafted Web page
that could potentially allow remote code execution" if a user
visited the page, Microsoft said. Another flaw is in how IE
interprets HTML with certain layout combinations. Attackers
could also exploit this by luring users to a specially crafted
Web page.
MS06-068, which fixes a flaw in how
Microsoft Agent handles specially crafted .ACF files. An
attacker could exploit the vulnerability by constructing a
specially crafted Web page and luring users to it.
MS06-069, which fixes several flaws in how
Adobe's Macromedia Flash Player handles flash animation .swf
files. An attacker could exploit the flaws by constructing a
specially crafted .swf file, sticking it on a Web site and
luring users there. The specially crafted .swf file could also
be sent as an email attachment.
Finally, Microsoft released
MS06-066, an "important" update fixing two
flaws. One is a memory corruption flaw in Client Service for
NetWare (CSNW), a component of Windows. The other is a
denial-of-service flaw an attacker could exploit by sending a
specially crafted network message to an affected system.
One issue Microsoft didn't address this month is a zero-day flaw
in
Visual Studio 2005, which was announced Nov.
1. A Microsoft spokesperson said more time is needed to develop
and test that fix.