August 8, 2006 12:41 PM PDT

Another hefty patch month for Microsoft

By Joris Evers
Staff Writer, CNET News

Last modified: August 8, 2006 2:22 PM PDT

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Microsoft to plug PowerPoint hole
July 17, 2006; Microsoft plugs worm hole in Windows
July 11, 2006; Windows worm starts its spread
August 11, 2003

update For the third straight month, it's a busy "Patch Tuesday."

As part of its monthly security update cycle, Microsoft on Tuesday released a dozen security bulletins. Nine of them are tagged critical, the company's highest severity rating. The alerts give details of 20 flaws in Windows and three in Office, all of which Microsoft has now fixed.

Several of the issues, such as a vulnerability in PowerPoint, have already been publicly reported and are being actively used in cyberattacks. However, the bundle of updates also covers bugs that Microsoft discovered itself, the company said. These issues have not been publicly disclosed and are not described in the bulletins.

"Today, Microsoft patched 23 vulnerabilities, the highest number since their monthly patch program started," Monty Ijzerman, a senior manager at McAfee's Avert Labs, said in a statement. Of those flaws, 11 were publicly known or exploited before Microsoft provided fixes, he said.

CNET Reviews
Microsoft bulletins

Full list of the updates
and their ratings.

Of specific interest is a remotely exploitable vulnerability in Windows, which Microsoft reports is already being used in attacks on PCs. The problem lies in a Windows service that provides support for networking features such as file sharing and printer sharing, the company said in security bulletin MS06-040.

"This is the one that we're encouraging people to prioritize and put on the top of the stack for their testing and deployment," Christopher Budd, security program manager at Microsoft, said in an interview. If immediate patching is not possible, Microsoft suggests using its workarounds, he said.

The flaw addressed in MS06-040 is the only one in Microsoft's Tuesday patch bunch that could let an anonymous attacker remotely commandeer a Windows PC without any user interaction, Budd said. Microsoft has seen a "very limited attack" that already exploited this flaw, he said.

The infamous MSBlast worm, which wreaked havoc in 2003, exploited a similar flaw, related to a Windows component called remote procedure call.

Last month, Microsoft patched a potential Windows worm hole when it released seven bulletins tackling 18 security flaws in Windows and Office. The patching rush started in June, when it released 12 bulletins. It came after a patch lull, with only three alerts in May, five in April and two in March.

Another of this month's flaws that could be exploited without any user interaction lies in the Windows Domain Name System (DNS) client, which is used to help translate URLs into numerical IP addresses. However, an attacker has to be on the same subnetwork as the intended target or must trick the user into making a DNS request to a malicious server, Microsoft said in bulletin MS06-041.

The bulk of the problems addressed by the August patches could be used for attacks via the Web or e-mail. They include security holes in the Internet Explorer Web browser, the Outlook Express e-mail client and other Windows and Office components.

For example, MS06-042 delivers fixes for eight IE bugs, and the user has to be duped into visiting a malicious Web site for attacks based on the holes to succeed, Microsoft said.

While it is a busy Patch Tuesday, Microsoft has not addressed all known flaws in its products. For example, a variant of a bug patched last month in a Windows component called "mailslot" is still without a fix. Proof-of-concept code that exploits this flaw was posted to the Net last month.

Microsoft recommends that people install the critical fixes immediately. The updates are available via the Windows Update and Automatic Updates tools. Temporary workarounds are outlined in the security bulletins for those who can't immediately apply the patches.

See more CNET content tagged:
bulletin, DNS, flaw, fix, vulnerability

Add a Comment (Log in or register) 22 comments (Showing first 20 comments)

Why don't they just start over.
by technewsjunkie August 8, 2006 1:33 PM PDT: Swiss cheese.; Reply to this comment View all 2 replies
Processing

MS security problems will only increase in the coming months/years
by extinctone August 8, 2006 1:38 PM PDT: I said this years ago, and it only becomes more fitting every year. "MS security problems will only increase in the coming months/years." I've worked in IT since the 80's. Based on Microsoft's past record and current actions I don't see any change in the near future. I almost feel bad for those wing nut IT guys that only know Microsoft technologies. You'll probably be out of a job in the next two years as US businesses get with the program, like most other countries, and use alternatives to Microsoft products. (Not only for security reasons but cost of ownership, compatibility/standards, privacy, freedom to use IT products as you wish, the list goes on...); Reply to this comment View reply
Processing

Don't be deceived
by GrandpaN1947 August 8, 2006 7:44 PM PDT: Along with these security updates will be other validation tools to make sure you're using legal MS applications. I didn't know this was a security problem.

Has anyone noticed their systems getting more unstable? Perhaps this is co-incidence with Vista coming out soon. I sure hope Apple rescues us from MS crap. Will Vista be considered spyware?; Reply to this comment View reply
Processing

August update disabled my keyboard
by Vetti August 8, 2006 11:03 PM PDT: After working on my computer for a few hours, I was prompted that I needed to restart my computer to finalize the security updates.

However, as the computer was starting back up, I heard this fast beeping sound, then a black screen popped up that said something to the effect that the keyboard was not responding.

After the computer was completely up and running, I tried to use the keyboard, and sure enough, it didn't work. So I performed a system restore to earlier today, and everything worked perfectly. Obviously some problem with the security update.; Reply to this comment View reply
Processing

See all 22 Comments >>

Latest tech news headlines

Facebook botnet risk revealed
Posted in News - Security by Elinor Mills

September 6, 2008 1:44 PM PDT
Security firm spots Chrome 'SaveAs' flaw
Posted in News - Security by Jonathan Skillings

September 6, 2008 11:33 AM PDT
At 10 years old, whither Google?
Posted in News - Digital Media by CBS Interactive staff

September 6, 2008 10:15 AM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Outside the Lines
EIC Squared: Chrome, iPods, and a Dell-Salesforce union
On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
At 10 years old, whither Google?
Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Webware
Mozilla releases second Firefox 3.1 alpha
Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.