Microsoft on Tuesday released three security updates for Windows and Office to patch as many vulnerabilities, following several consecutive Patch Tuesday events that saw much larger batches of fixes. The software giant rated only one of the September patches as “critical.”
Bulletin MS06-054 addresses the critical flaw. The bulletin described a bug in Microsoft Publisher, the company’s desktop publishing program that is bundled with some editions of Office. The other patches issued fix flaws in various versions of Windows. Those patches were rated “important” and “moderate.”
September’s release stems the software giant’s patch tide. Between June and August, Microsoft distributed a whopping 31 security updates to patch 62 bugs, including 41 critical fixes. However, some analysts are concerned that there should have been at least one more critical patch in the mix.
Zero-Day Exploit Targets Word
“Microsoft did not release a patch for the zero-day exploit in Microsoft Word, and it could be another month before the patch becomes available,” Chris Andrew, PatchLink’s vice president of security technologies, told TechNewsWorld, noting that IT administrators now face the important task of protecting the network until Microsoft releases a fix.
An IT administrator’s best option for working around the vulnerability is to turn on safe mode in Microsoft Word, Andrew suggested, or use Microsoft Word Viewer to open e-mail attachments.
“IT administrators should evaluate their IT environment and make sure that a suitable firewall technology can control the inflow of documents,” Andrew added. “Organizations should also communicate to the end-user community on the temporary workaround action plan.”
Security analysts agree that the Microsoft Publisher vulnerability is the most dangerous of the three released on Patch Tuesday. That’s because an attacker could take full control of the affected system if he or she were logged into Windows with administrative user rights.
“An attacker could exploit this vulnerability when Publisher parses a file with a malformed string,” Microsoft said in the bulletin, which explained that the bug lies in the way the application parses the files. A successful exploit would come in the form of a document sent via e-mail or via a malicious Web site.
Experts warn that IT administrators should be diligent to patch all systems for this critical bulletin immediately, though Microsoft said the bug has not been exploited in the wild. That is welcome news for IT departments that have seen several vulnerabilities over the past few months that have been exploited before Microsoft issued a patch.
Open to Attack
MS06-052 was labeled “important.” It addresses a bug in a Windows XP protocol called PGM, or Pragmatic General Multicast. Microsoft said any anonymous user who could deliver a specifically crafted message to the affected system could try to exploit the vulnerability.
“For the PGM communications vulnerability, the system must have the optional PGM installed in order to be vulnerable,” Andrew explained. “However, if the system does have PGM installed, the attacker only needs to route multicast packets to the affected system to remotely execute code. It is recommended that this patch be applied.”
Finally, MS06-053 fixes a vulnerability in Windows’ Indexing Service. The service is used to create content indexes stored in file systems and virtual Web servers. Security experts warned not to relax in the fact that Microsoft rated the patch as “moderate.”
“This vulnerability allows an attacker to run a client-side script to spoof content, disclose information or behave as that user on the affected Web site. It is recommended that this patch be applied,” Andrew concluded.