Patch/Configuration Management, Vulnerability Management

Patch Tuesday sees three new fixes, none for Microsoft Word

Microsoft gave system administrators a break today, releasing only three fixes for September's Patch Tuesday.

The latest monthly release was a far cry from last month's distribution, when the Redmond, Wash., company sent out a dozen patches, or the seven-fix release of a month before.

Only one fix was today deemed critical by Microsoft, a patch for Microsoft Office that had a severity rating of important for more recent versions, according to a company advisory. The flaw could allow an attacker to take control of an affected system.

The software giant also released a "important" patch for a flaw in Windows that could allow a hacker to take control of a compromised system, as well as a "moderate" patch for a flaw in Windows that could allow a hacker to obtain information from a PC.

But what wasn't included in this month's Patch Tuesday release was noted by researchers from Qualys, who said today that Microsoft had enough time to fix a bug in Microsoft Word.

"There should be a patch for a flaw in Word, and there is already an exploit out there that has the potential to affect users. That exploit was announced around Labor Day weekend," said Amol Sarwate, director of the Qualys vulnerability research lab. "It's definitely smaller as compared to the last two, but apart from the Word vulnerability patch missing, there is nothing unusual. These are part of a continuing trend in seeing more client-side vulnerabilities."

A Microsoft spokesman said today that Redmond is investigating reports of zero-day attacks and will take appropriate action when the investigation is complete.

Alain Sergile, technical product manager for Internet Security Services X-Force, said exploits for the most critical patched flaw require considerable user interaction.

"The most serious of the patches was for Office's Publisher program, however the stuff necessary to exploit the issue are so intensive because they rely so much on user interaction," he said. "This is Office Publisher, which tends to be an older application, and the other thing is that the text file that would have to be sent would have to be an office publisher file. That's not something that you would find in a corporate environment."

Microsoft also re-released two previous patches today. Both, MS06-042 and MS06-040, have a maximum severity rating of critical and fix flaws within Windows that could allow an attacker to take control of an affected system.

Click here to email online editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.