Microsoft has plugged 19 holes on Tuesday, including seven critical
updates, addressing a
zero-day DNS server flaw, and flaws in Microsoft Exchange,
Internet Explorer, Microsoft Excel, Word and Office.
The patches were released on Tuesday as part of its monthly
Patch Tuesday update cycle. If exploited, Microsoft said the
critical flaws could allow an attacker to take complete control of
a system.
The DNS Server Service flaw, which has been attacked on a
limited scale in recent weeks, has been troublesome to some IT pros
because DNS servers resolve domain names to the actual IP addresses
of the Web servers hosting the requested sites.
Rich Linke, a Chicago-based independent security consultant and
former global security manager at Kraft Foods said security pros
will likely get to work on patching Exchange server and deploying
the zero-day DNS server updates. Flaws in Internet Explorer and
Excel also could "pose issues from a deployment standpoint," and be
a sizeable push to the desktop, Linke said.
"Some of the Exchange vulnerabilities kind of look odd and it's
not clear at first glance if it affects the Outlook client and the
server," he said. "The DNS noise level calmed down quite a bit over
last seven to ten days, so we didn't expect the update to come out
of cycle."
 |
| Microsoft DNS zero-day: |
Microsoft to release DNS patch Tuesday: In addition to a fix
for the DNS Server Service flaw, Microsoft plans to patch critical
flaws in Windows, Office, Exchange, CAPICOM and BizTalk.
DNS worm strikes at Microsoft flaw: A new worm called Rinbot.BC
exploits the Microsoft DNS flaw by installing an IRC bot on
infected machines and scanning for other vulnerable servers.
Microsoft investigates DNS server flaw:
Attackers could exploit a DNS flaw in Microsoft Windows 2000
Server and Windows Server 2003 and run malicious code on the
system. A workaround is suggested until a patch is
issued. |
|
| |
|
A remote code execution
vulnerability in Microsoft Exchange affects
Multipurpose Internet Mail Extensions. In an advisory issued to
customers, Symantec called the vulnerability one of the more
critical issues of the month.
"A successful attack could completely compromise the computer
hosting the vulnerable Exchange server and has the potential for
impacting a large audience," Symantec said.
Microsoft also issued patches plugging four
critical vulnerabilities in Internet Explorer
that could be exploited by an attacker when a user visits a
malicious Web site. The flaws are in IE 6 and 7 and include a
Property Type Memory Corruption Vulnerability and HTML Objects
Memory Corruption.
"As we reported in the recent Internet Security Threat Report,
attackers are continuing to leverage browser and application
vulnerabilities and social engineering tactics to gain access to
computers in order to execute malicious code," Oliver Friedrichs,
director, emerging technologies, Symantec Security Response said in
a statement.
Critical
Vulnerabilities in Microsoft Word, which
included an RTF parsing, a document stream and an array overflow
flaw were plugged. Microsoft Word versions 6.0 and earlier were
affected. A record vulnerability and set font flaw in Microsoft
Excel was also patched. The flaws in both Word and Excel could
be exploited by an attacker to gain control of a computer.
"Since the Microsoft Office vulnerability is entrusted in Web
applications, like Internet Explorer, these patches are critical
and should also be prioritised and deployed quickly," said Paul
Zimski, senior director of market and product strategy for
PatchLink.
Microsoft also released a non-security, high-priority update for
Windows on Windows Update (WU) and Software Update Services (SUS)
and non-security, high-priority updates on Microsoft Update (MU)
and Windows Server Update Services (WSUS).
For more information,
Microsoft held a Webcast about the latest
update.