In all, nine of the bulletins have been deemed critical and a total of 23 security holes have been fixed in this month's release, including previously exploited Windows and PowerPoint flaws.
"With 23 flaws, this is easily one of Microsoft's largest patch releases, and this batch covers a broad range of applications," said Jonathan Bitle, manager of the technical accounts team at Qualys. "Because we are seeing so many client-side flaws each month, we cannot highlight enough the need for user education - not just a need for patching, but for education among all employees on what kinds of websites and files are acceptable or not."
Microsoft described the critical flaws as those an attacker could exploit to take complete control of an affected system. "An attacker could then install programs, view, change or delete data, or create new accounts with full user rights," the supplier said in its advisories.
The biggest threat
Security experts agree the bulletin to take most seriously is MS06-040, which addresses a remotely exploitable buffer overrun flaw in the Windows Server Service.
On the patch management forum hosted by Shavlik Technologies, Marc Maiffret, chief hacking officer of eEye Digital Security, said IT professionals should focus on getting this patch deployed first. "This vulnerability was being actively exploited in the wild," he said. "However no previous details had been released on it publicly."
In a message on its Web site, the United States Computer Emergency Readiness Team (US-CERT) also warned that one of this month's patches would address a flaw that has already been exploited. The specific flaw or security bulletin was not immediately named, although US-CERT said it would post more details sometime after the bulletins were released.
Amol Sarwate, director of Qualys' vulnerability research lab, said the flaw addressed in MS06-040 is the only one in this month's batch that an attacker could exploit without user interaction. "This is the most critical and users should take it the most seriously," he said. "But all the other critical bulletins cannot be taken lightly because they are spread all over the operating system."
A monster Internet Explorer fix
One of the best examples is MS06-042, the latest cumulative update for Internet Explorer that fixes eight different security holes, Sarwate said. According to Microsoft, the bulletin addresses:
- Two flaws in how Internet Explorer handles redirects.
- Two flaws in how Internet Explorer interprets HTML with certain layout positioning combinations.
- A flaw in how Internet Explorer handles chained Cascading Style Sheets (CSS).
- A flaw in how Internet Explorer instantiates COM objects that are not intended to be instantiated in the browser.
- Script being used to access the location of a Window in another domain or Internet Explorer zone.
- A flaw in how Internet Explorer handles specially crafted FTP links that contain line feeds.
Metasploit Framework creator H.D. Moore released at least one new browser flaw a day last month as part of his self-titled "Month of Browser Bugs" project, and Sarwate believes that is why the August Internet Explorer update is so large. Plus, from what he can tell, this update does not even address all the known IE flaws.
Other critical fixes
The remaining critical fixes for August are:
MS06-043, which addresses a remote code execution vulnerability in Windows that results from incorrect parsing of the HTML protocol.
MS06-044, which addresses a remote code execution flaw in the Windows Management Console.
MS06-046, which addresses a flaw in the HTML Help ActiveX control. "An attacker could exploit the vulnerability by constructing a malicious webpage that could potentially allow remote code execution if a user visited that page," Microsoft said.
MS06-047, which addresses a flaw in how Visual Basic for Applications checks the document properties that a host application passes to it when opening a document. Microsoft Office applications are affected by this vulnerability, Microsoft said.
MS06-048, which addresses two Microsoft PowerPoint flaws that had already been disclosed in the past month. One flaw can be exploited when a file containing a malformed shape container is parsed by PowerPoint. The other flaw could be exploited when PowerPoint parses a file containing a malformed record.
MS06-051, which addresses two flaws: a privilege elevation vulnerability in how Windows 2000 starts applications, and a flaw in how exception handling is managed on multiple applications that are resident in memory.
Three 'important' fixes
Microsoft rated three security updates as "important" this month:
MS06-045, which addresses a flaw in how Windows Explorer handles drag-and-drop events.
MS06-049, which addresses a privilege-elevation flaw in Windows 2000 caused by improper validation of system inputs.
MS06-050, which addresses two flaws: an unchecked buffer in the code that is used for handling hyperlinks, and a malformed function that appears when hyperlinks are handled. An attacker could exploit the flaws by constructing a malicious hyperlink that could potentially lead to remote code execution if a user clicks a malicious link within a Microsoft Office file or e-mail message. While this bulletin technically addresses a flaw within Windows, it is the cause of a zero-day flaw in Microsoft Excel that attackers could exploit to launch malicious code.