RSS8 Critical Flaws Patched by Microsoft
By Ed Oswald | Published June 13, 2006, 4:33 PM
Microsoft has released its super-sized Patch Tuesday, heavy on "critical" patches, with eight rated as such. Four other patches rounded out the list of updates, with three patches rated "important" and one rated "moderate."
Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint.
The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can be exploited after a user opens a specially crafted Word file with a malformed object pointer, allowing for code execution.
Another is a cumulative patch for Internet Explorer, which fixes five code execution vulnerabilities, a spoofing flaw, and an issue that could pose both an information disclosure or spoofing risk.
Included in the cumulative patch is an update that changes the way Internet Explorer handles ActiveX controls.
The modification was initially made back in March in response to a patent infringement case that Microsoft involved in with Eolas. However, Microsoft offered a reprieve to developers by delaying the forced change for two months in order to allow them to change their applications.
Two other patches resolve Internet Explorer issues. One fixes a remote code execution risk in AOL ART binary support that shipped with Windows and Internet Explorer. A specially crafted ART file could be used to take complete control of an affected system, Microsoft warns.
A memory corruption issue with JScript that could be exploited through specially crafted code within an e-mail or on a malicious Web site has also been remedied.
Remote code execution flaws in Windows Media Player, PowerPoint, the Graphics Rendering Engine and Window's Routing and Remote Access service rounds out the rest of the critical patches. Media Player's problems revolve around the handling of PNG files. PowerPoint's patch fixes a flaw related to malformed records within PPT files.
The vulnerability within the Graphics Rendering Engine is due to issues with Windows Metafile, however it only affects Windows 98 and ME systems, according to the advisory. The vulnerability in Routing and Remote Access involves separate memory and registry corruption vulnerabilities.
In all cases, an attacker could take complete control of an affected system.
Of the "important" updates, one affects Exchange Server and two others for Windows. Users running Outlook Web Access are at risk for remote code execution from specially crafted scripts within malicious e-mail messages. However, the e-mail needs to be opened in order for the exploit to occur.
An elevation of privilege and invalid handle vulnerabilities have been fixed in an update to Windows Server Message Block application, and flaws in the TCP/IP protocol driver have also been repaired.
Finally, a problem in RPC Mutual Authentication that posed a spoofing risk has been fixed. The patch was only rated "moderate" as the user would need to connect to a malicious RPC Server, and Windows 2000 Service Pack 4 is the only affected operating system version.
This Patch Tuesday was Microsoft's largest since February of last year and second largest overall. At TechEd 2006 in Boston this week, the company has pledged to make Windows Vista more secure, and has implemented new programs to catch issues before software is publicly released.
Patches and patches and patches..... Absolute security is not possible in any field of life, and identical solutions for everybody are the best way for never having security at all.Leave the expensive and bulky solutions for big and powerful organizations as banks and big corporations, which are always a target for thieves and intruders and must fight everyday for their survival, and simultaneously create a simple and cheap Windows 98 succesor for modest home users who are never a target for hackers...but until now are treated as a target by Microsoft!.
Score: 0
|Patches and patches and patches..... Absolute security is not possible in any field of life, and identical solutions for everybody are the best way for never having security at all.Leave the expensive and bulky solutions for big and powerful organizations as banks and big corporations, which are always a target for thieves and intruders and must fight everyday for their survival, and simultaneously create a simple and cheap Windows 98 succesor for modest home users who are never a target for hackers...but until now are treated as a target by Microsoft!.
Score: 0
|I am all for security updates, but one of these patches made WLM 8.0 beta not work on both of my machines.
Score: 0
|Anyone making the claim that Windows Vista is a "simple patch" should have a look at the following pages,
http://en.wikipedia.org/wiki/Windows_vista
http://en.wikipedia.org/...es_new_to_Windows_Vista
Score: 0
|For those of you not wanting the Active X control "enhancement" that MS had to put in place because of the lawsuit, watch the IE6 update.
http://www.microsoft.com.../Bulletin/MS06-021.mspx
"This security update also replaces the compatibility patch released on April 11, 2006. That compatibility patch temporarily returned Internet Explorer to the previous functionality for handling ActiveX controls, to help enterprise customers who needed more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945. This security update replaces that compatibility patch, and makes the changes in Microsoft Knowledge Base Article 912945 permanent."
I am choosing not to install this patch, I don't want that extra limitation installed on my machines. I will take my chances with anything else included in that update.
Score: 0
|We've had it installed across our WAN for two months. No complaints or real issues.
Score: 0
|It isn't the fact that we are having issues with it, I just don't like yet ANOTHER reason to click around on websites. IE6 is starting to look like UAC in Vista..:)
Score: 0
|Now i wonder.... got 2 beta's IE7 and Office 2007 on the box....are these afflicted with the same problems and are they being fixed? Particular, since MSFT claims that IE7 is so deeply imbedded into the OS (XP), do the beta testers have an extra exposure?
Score: 0
|In response to IE7... http://blogs.msdn.com/ie.../2006/06/13/629724.aspx
They released an update for IE7+ on Vista, but apparently did not for IE7 on XP... a commenter is awaiting a response on the XP matter.
In response to Office 2007...
It's not listed as an affected product, therefore, it is not an issue and does not merit a fix.
Score: 0
|They patched holes in the OS so now windows is safer. This is good, whatever way you look at it.
Score: 0
|You have a very sensible, intelligent, responsible way of looking at things! :)
Score: 0
|And You sound like a fortune cookie ;)
Not that I disagree.
Score: 0
|Let the "MS Sucks", followed by rebuttal, followed by "hey why do the MS fanboys always say my favorite underdog OS sucks?" ritual begin.
Score: 0
|Swiss cheese is still swiss cheese no matter how many times you try and patch the holes...
Score: 0
|A patch is still a patch, even if you charge for it and tell everyone its a new version.
Score: 0
|Very true, which is why I'm not buying Vista.
Score: 0
|Oh? You have a heavily rewritten version of Windows 2003? Where can I get that?
Score: 0
|A patch is still a patch, even if you charge for it and tell everyone its a new version.
Lol that was a good come back. I like that one...
Score: 0
|Hell if I know, not like they can stick to any sort of deadline...
Score: 0
|Hey, they got these fixes out ON patch Tuesday :)
Score: 0
|lol
Score: 0
|I wonder why it is that everytime a critical patch surfaces it warrents so much criticism? I'm sure Linux has its share of patches as well... is it not a good thing that MS recognizes, tests and creates a solution to these issues? Everytime I hear there is a new critical patch I'm happy to get it. I have an opposite reaction to what most here have I guess.
Score: 0
|Jordan you don't understand. Microsoft cannot win. They make an insecure OS and people moan. They patch the holes and people moan. They make it more secure and people moan. Putting it simply people will just moan because Microsoft is Microsoft.
Hope this helps :)
Score: 0
|How true. In fact, I have never come across a MS-related article here that does not have any negative comment whatsoever; even if they news is all positive.
Score: 0
|People moan because they're not happy unless they have something to complain about to show off how much better they THINK they are than whatever the complaint is. Everyone likes to think they have a better way to do things than anyone else.
Score: 0
|Damned if you do, damned if you don't. They want to make the OS more secure so they spend lots of time adding security and rewriting areas with vulnerabilities. This causes missed deadlines. People moan about not getting a new version of an OS they claim to hate. An interesting paradox don't you think?
Score: 0
|They claim every new OS is the "most secure ever." yet we're seeing many of the same patches for Server 2003 that we see on XP and 2000.
Score: 0
|Jordan you don't understand. the underdog will always "win" these arguments. They make an insecure OS and its users ignore it. They patch the holes and people pretend those patches are perfect and happen overnight. They make it more secure and people go "look at me, look at me". Putting it simply, people will just blindly support the underdog because they think it makes them different/smarter/special.
Fixed ;)
Score: 0
|Why'd you post that in reply to my post? We agree.
Score: 0
|Exactly why I WONT buy VISTA!
Exactly.
Score: 0
|EXACTLY!
How much will they charge for the WindowsXP update... i mean VISTA.
HAHAHAHAHAHAHAHAHA
Score: 0
|Which is a miracle in itself...
Score: 0
|Since you overlooked what I replied to Azazel with yesterday, and couldn't do anything but paraphrase what he said, I'll quote my own response to him.
"Oh? You have a heavily rewritten version of Windows 2003? Where can I get that?"
---
"How much will they charge for the WindowsXP update."
Because we all know how they charged everyone for SP2. Oh, thats right, they didn't.
Score: 0
|Since you overlooked what I replied to Azazel with yesterday, and couldn't do anything but paraphrase what he said, I'll quote my own response to him.
"Oh? You have a heavily rewritten version of Windows 2003? Where can I get that?"
---
"Exactly why I WONT buy VISTA!"
And I thought it was because it isn't named after a wild cat?
Score: 0
|Charge for patching SWISS CHEESE?
Smoke more crack Grazer
Score: 0
|"Smoke more crack Grazer"
Na, I by default look at the world too differently to need drugs. I leave those to you and your ad hominem brethren. :)
Score: 0
|