Patch/Configuration Management, Vulnerability Management

A dozen new Microsoft fixes released on Patch Tuesday

Microsoft released a dozen new patches on Tuesday - eight of which were deemed critical by the software giant - including a cumulative security update for Internet Explorer and a long awaited fix for Microsoft Word.

The cumulative bulletin "resolves several vulnerabilities in Internet Explorer that could allow remote code execution."

Among the other critical bulletins was a long anticipated fix for a flaw in Word that could also allow remote code execution.

Critical flaws in ART Image Rendering, Jscript, Media Player, routing and remote access, graphics rendering engine and PowerPoint were also fixed.

Microsoft also released three bulletins it deemed "important," including a fix for a flaw in running Outlook web access that could allow remote code execution, a flaw in server message block that could allow elevation of privilege and a flaw in TCP/IP that could allow remote code execution.

A patch for a moderate flaw in RPC Mutual Authentication that could allow spoofing was also fixed.

Oliver Friedrichs, director of Symantec Security Response, pointed out that a number of the flaws require only a malicious website to infect PCs.

"Client-side vulnerabilities have become one of the most prominent methods by which computers become infected today. By simply visiting a malicious website, one can have crimeware, spyware and adware installed on their computer, posing a serious risk to their privacy," he said. "Today’s release continues that trend and users are urged to install these patches as soon as possible."

Redmond did not tip its hand in the past month as to whether it would release an early patch for the flaw, for which it was getting reports of only limited zero-day attacks on affected systems.

Microsoft and eEye Digital Security released security advisories for the flaw.

Jonathan Bitle, senior product manager for Qualys, said the size of the patch release may have caught some IT administrators off guard.

"I think that it caught a lot of people off guard," he said. "It’s the largest release since February of 2005."

Last month, the Redmond, Wash., company released three fixes, two of which prevented remote code execution on Patch Tuesday. One of the critical patches was for Microsoft Exchange, another was for a hole in the Macromedia Flash Player and a third was for a flaw in Microsoft’s Distributed Transaction Coordinator that could allow a DoS attack.

Microsoft released five patches in April’s release, including one long awaited fix for a critical Internet Explorer flaw.

Amol Sarwate, vulnerability lab manager at Qualys, said he didn’t expect to see so many client-side flaws fixed.

"What’s unexpected was that a host of client-side remote code execution flaws was released this month," he said.

Monty Ijzerman, senior manager of McAfee Avert Labs’s Global Threat Group, pointed out that Microsoft has patched a considerably higher number of flaws than a year ago.

"Today we are seeing a high number of vulnerabilities being announced by Microsoft, many of which are rated critical," he said. "In the first half of 2006, Microsoft patched 70 percent more critical vulnerabilities compared to the same period last year. The vulnerabilities in Exchange 2000 and in RRAS released today might be exploited to create worms."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.