RSSExcel Focus of July Patch Tuesday
By Ed Oswald | Published July 11, 2006, 4:52 PM
Microsoft released a bevy of critical updates Tuesday, with a focus on the multitude of Excel vulnerabilities that have sprung up over recent months.
Eight different flaws within the popular spreadsheet program were fixed in a single update, along with two critical flaws in Windows, two other critical issues affecting Office and other Microsoft programs, and "important" issues with the .NET Framework and IIS.
The Excel update includes fixes for various issues with malformed records and values, the most serious of which could open up a user's machine to a remote code execution risk. The patch also replaces a previous one issued in March to correct other issues within Excel.
The fix also closes holes that attackers exploited in zero-day attacks that cropped up in the middle of last month.
In addition to the Excel patch, Microsoft fixed two other vulnerabilities in Office. One deals with a parsing flaw that could lead to remote code execution and a system takeover risk. A similar risk exists for another patched flaw, this time dealing with issues in how Office handles malformed PNG and GIF files.
In Windows, Microsoft has patched two problems with the Server and DHCP services. In Server services, a vulnerability exists in the driver, which could open a system up to a takeover risk, and a information disclosure risk exists that could allow an attacker to view to view fragments of memory used to store SMB traffic during transport.
In DHCP services, a buffer overrun flaw could allow for remote code execution and system takeover, Microsoft says.
In addition to the critical updates, the Redmond company also released two patches rated "important," which mainly affect those running Web sites on the Windows platform. A hole in ASP.NET security has been filled, which exposes information that could assist in future attacks.
"Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system," Microsoft said.
Another patch resolves an issue where a specially crafted ASP file could exploit a flaw within IIS. The problem results from an "unchecked buffer."
Users can download all seven security bulletins immediately through Automatic Updates, or Microsoft's various other update services.
This update seems to have caused every single machine that we have on our network to screw up. Our Mail server has been jacked up every since the update was installed.
Score: 0
|wat up
Score: 0
|I sure hate it when my machine reboots by itself overnight. I wonder what I might have left running or unsaved when I left last night. Oh geez did my backup finish?
Where is my option to automatically download, and patch, but NOT REBOOT.
Score: 0
|@ ScotchMoose:
Ctrl Panel > Security Ctr > Auto Updates:
Select the "download updates, but let me choose when to install."
There is no option to run the install, then let you choose when to reboot, afaik.
Score: 0
|Yes there is, but you need WSUS/WIndows domain to do it.
Score: 0
|917537 isn't installing correctly on my box, it's continually prompting for install after it installs.
Score: 0
|The patch also replaces a previous one issued in March to correct other issues within Excel.
^^ was the other patch installed
i did them all without a hitch
Score: 0
|thats good
Score: 0
|likewise, its requests to install:
Security Update for Windows Server 2003 (KB917537)
Windows Malicious Software Removal Tool - July 2006 (KB890830)
Update for Outlook 2003 Junk Email Filter (KB919031)
Security Update for Windows Server 2003 (KB917159)
Security Update for Excel 2003 (KB918419)
Security Update for Office 2003 (KB917151)
Security Update for Windows Server 2003 (KB914388)
Security Update for Office 2003 (KB914455)
Security Update for Microsoft .NET Framework, Version 2.0 (KB917283)
then after install, reboot, then it wants to install them all again! any clues?
Score: 0
|