[gui-talk] Article: Microsoft Patches 28 Security Flaws

[Steve Pattison]

This article is taken from the Beta News home page at 
www.betanews.com.  -Steve.

Microsoft Patches 28 Security Flaws

By Ed Oswald,
BetaNews
October 10, 2006, 5:36 PM

Microsoft scaled back its October patch event by one on Tuesday, 
electing to release
ten patches. Five patches are intended for Windows, the highest 
rating of those being
critical; four for Office, with the highest rating also being 
critical; and one moderate
patch for the .NET framework.

As is typical with information surrounding Patch Tuesday releases, 
Microsoft did
not specify the nature of the dropped patch.

Altogether across the ten patches, a staggering 28 security issues 
have been fixed,
with a large portion of them yet again coming from the Redmond 
company's Office productivity
suite.

The delivery of those patches may be delayed for some consumers and 
enterprise customers
due to technical difficulties with the update servers delivering the 
patches. Downloads
would be delayed until at least Wednesday for customers using 
Microsoft Update, Automatic
Updates, Windows Server Update Services (WSUS), and Windows Update v6.

"To be clear, it's a delay due to the networking for these systems: 
there are no
issues with the security updates themselves," Craig Gehre of the 
Microsoft Security
Response Center said. "Technical teams are engaged and have been 
working around the
clock to resolve this problem."

Of the critical updates, two are intended for Windows. Both fix 
remote code execution
vulnerabilities - one in XML Core Services and the other in Windows 
Shell. Of the
Office flaws, remote execution issues are fixed in PowerPoint, Excel, 
Word, and general
issues were resolved across the entire suite.

One important flaw was repaired: a Windows Server Service bug that 
could result in
a denial of service issue within the operating system. In both cases 
a specially
crafted network message could either result in a system becoming 
unresponsive, or
in the worst case scenario an attacker could take complete control of 
the affected
system.

Rounding out October's Patch Tuesday were two moderate risk flaws, 
one in ASP.NET
that could allow for information disclosure, and the other in the 
Windows Object
Packager that allows for remote code execution. However, unlike the 
more severe code
execution issues described earlier, in order for the flaw to be 
exploited, user interaction
is required.

Finally, the least serious of the flaws, one rated as low risk, 
involves several
vulnerabilities with the TCP/IP protocol within Microsoft Windows. 
Microsoft says
the worst of the issues could result in a denial of service issue for users.

Security solutions company PatchLink recommended that users and IT 
departments apply
the XML Core Services patch immediately before any of the other issued patches.
"This particular patch should be prioritized above the other critical 
patches from
today because there are no temporary workarounds for this particular 
vulnerability
and an IE exploit could be built that executes remote code simply by 
viewing a page,"
PatchLink director of solutions and strategy Don Leatham said.

Leatham recommended that all other patches be applied within 72 
hours, especially
in light of the multiple issues fixed Tuesday in the Office productivity suite.

"It is very simple to create a link in a web page that can entice a 
user to unknowingly
open a malicious Microsoft Office document," he said. "If the user 
doesn't have their
Microsoft IE security set to 'high' they can end up automatically 
opening a Word,
Excel or PowerPoint document that can allow an exploit to run on 
their computer."


Regards Steve
Email:  srp at internode.on.net
Skype:  steve1963
MSN Messenger:  internetuser383 at hotmail.com