Microsoft fixes Office, Windows flaws

This month's only critical fix is for a flaw in Microsoft Publisher, a component of Office. Attackers could exploit the flaw to take control of vulnerable machines.

As expected, Microsoft released three security fixes on 12 September for flaws in components of Windows and Office. One security expert recommended IT administrators use the lighter patching load as an opportunity to tighten defenses against ever-increasing zero-day threats.

The only critical update this month is MS06-054, which addresses a remote code execution vulnerability in Microsoft Publisher, part of the Microsoft Office. The flaw surfaces when the program handles malformed PUB files.

"If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft officials said. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The flaw affects Office 2000 Service Pack 3, Office XP Service Pack 3; Office 2003 Service Pack 1; Office 2003 Service Pack 2; and Microsoft Publisher 2000, 2002 and 2003.

Meanwhile, Microsoft released MS06-052, an "important" update for Pragmatic General Multicast (PGM), a multicast protocol within Windows used to detect, report on and request retransmission of incomplete or lost inbound data.

Microsoft officials said attackers could exploit a remote code execution flaw in the program to send a specially-crafted multicast message to an affected system to launch malicious code. The problem is that the application fails to properly bounds check externally-supplied data. Windows XP Service Pack 1 and Windows XP Service Pack 2 are affected.

Finally, Microsoft released MS06-053, a "moderate" fix for an information disclosure vulnerability in the Windows Indexing Service. The flaw is in how the program handles query validations.

"The vulnerability could allow an attacker to run client-side script on behalf of a user," Microsoft officials said. "The script could spoof content, disclose information, or take any action that the user could take on the affected Web site."

The flaw affects:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
  • Windows XP Professional x64 Edition
  • Windows Server 2003
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 (Itanium)
  • Windows Server 2003 SP1 (Itanium)
  • Windows Server 2003 x64 Edition

    Chris Andrew, VP of security technologies for vulnerability management firm Patchlink Corp., suggested IT administrators use the lighter load this month to harden their defenses against the growing array of zero-day threats. He noted that attackers are actively exploiting a Microsoft Word flaw that wasn't patched this month, and that zero-day threats will keep increasing.

    "There's a lot they could be doing to lock down their network, like restricting user rights and making sure security policies are well organised," he said.

  • Read more on IT risk management