Patch/Configuration Management, Vulnerability Management

Install June patches or face new exploit code, Microsoft warns


Microsoft released a new security advisory on Friday after malicious code was published for a recently patched flaw in the remote access connection manager service.

Users with the Windows 2000 operating system are primarily at risk from the exploit code, according to the advisory. Systems with the MS06-025 patch are not at risk from the malicious code, according to Microsoft.

The software giant had already updated MS06-025 earlier this month because of scripting issues.

The Redmond, Wash., company scolded security researchers who released details of the exploit code without notifying the company first.

"Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities," Microsoft stated in the advisory.

Microsoft said the flaw, when it released the bulletin earlier this month, was exploitable by remote code execution.

Microsoft released a dozen new patches on this month’s Patch Tuesday – eight of which were deemed critical by the software giant – including a cumulative security update for Internet Explorer and a long awaited fix for Microsoft Word.

Critical flaws in ART Image Rendering, Jscript, Media Player, graphics rendering engine and PowerPoint were also fixed.

Microsoft also released three bulletins it deemed "important," including a fix for a flaw in running Outlook web access that could allow remote code execution, a flaw in server message block that could allow elevation of privilege and a flaw in TCP/IP that could also allow remote code execution.

A patch for a moderate flaw in RPC Mutual Authentication that could allow spoofing was also fixed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.