Another hefty patch month for Microsoft

For the third straight month, it's a busy "Patch Tuesday."

As part of its monthly security update cycle, Microsoft on Tuesday released a dozen security bulletins. Nine of them are tagged critical, the company's highest severity rating. The alerts give details of 20 flaws in Windows and three in Office, all of which Microsoft has now fixed.

Several of the issues, such as a vulnerability in PowerPoint, have already been publicly reported and are being actively used in cyberattacks. However, the bundle of updates also covers bugs that Microsoft discovered itself, the company said. These issues have not been publicly disclosed and are not described in the bulletins.

"Today, Microsoft patched 23 vulnerabilities, the highest number since their monthly patch program started," Monty Ijzerman, a senior manager at McAfee's Avert Labs, said in a statement. Of those flaws, 11 were publicly known or exploited before Microsoft provided fixes, he said.

CNET Reviews
Microsoft bulletins

Full list of the updates
and their ratings.

Of specific interest is a remotely exploitable vulnerability in Windows, which Microsoft reports is already being used in attacks on PCs. The problem lies in a Windows service that provides support for networking features such as file sharing and printer sharing, the company said in security bulletin MS06-040.

"This is the one that we're encouraging people to prioritize and put on the top of the stack for their testing and deployment," Christopher Budd, security program manager at Microsoft, said in an interview. If immediate patching is not possible, Microsoft suggests using its workarounds, he said.

The flaw addressed in MS06-040 is the only one in Microsoft's Tuesday patch bunch that could let an anonymous attacker remotely commandeer a Windows PC without any user interaction, Budd said. Microsoft has seen a "very limited attack" that already exploited this flaw, he said.

The infamous MSBlast worm, which wreaked havoc in 2003, exploited a similar flaw, related to a Windows component called remote procedure call.

Last month, Microsoft patched a potential Windows worm hole when it released seven bulletins tackling 18 security flaws in Windows and Office. The patching rush started in June, when it released 12 bulletins. It came after a patch lull, with only three alerts in May, five in April and two in March.

Another of this month's flaws that could be exploited without any user interaction lies in the Windows Domain Name System (DNS) client, which is used to help translate URLs into numerical IP addresses. However, an attacker has to be on the same subnetwork as the intended target or must trick the user into making a DNS request to a malicious server, Microsoft said in bulletin MS06-041.

The bulk of the problems addressed by the August patches could be used for attacks via the Web or e-mail. They include security holes in the Internet Explorer Web browser, the Outlook Express e-mail client and other Windows and Office components.

For example, MS06-042 delivers fixes for eight IE bugs, and the user has to be duped into visiting a malicious Web site for attacks based on the holes to succeed, Microsoft said.

While it is a busy Patch Tuesday, Microsoft has not addressed all known flaws in its products. For example, a variant of a bug patched last month in a Windows component called "mailslot" is still without a fix. Proof-of-concept code that exploits this flaw was posted to the Net last month.

Microsoft recommends that people install the critical fixes immediately. The updates are available via the Windows Update and Automatic Updates tools. Temporary workarounds are outlined in the security bulletins for those who can't immediately apply the patches.

[technewsjunkie]

Why don't they just start over.

Swiss cheese.

[grandmasterdibbler]

I thought that but,

if they started over they'd just make a whole new bunch of bugs, you've got to pitty them a little they must have a seriously tough job with so many holes to fix so frequently. That was sincere, the guys a MS have a hell of a lot of work to do and any problems are a big deal.

[sneezy--2008]

Good with ham

Oh stop all this bellyaching.
While downloading the patches do a load of wash.

[extinctone]

MS security problems will only increase in the coming months/years

I said this years ago, and it only becomes more fitting every year. "MS security problems will only increase in the coming months/years." I've worked in IT since the 80's. Based on Microsoft's past record and current actions I don't see any change in the near future. I almost feel bad for those wing nut IT guys that only know Microsoft technologies. You'll probably be out of a job in the next two years as US businesses get with the program, like most other countries, and use alternatives to Microsoft products. (Not only for security reasons but cost of ownership, compatibility/standards, privacy, freedom to use IT products as you wish, the list goes on...)

[David Arbogast]

Get a Clue

You said it years ago? Wow... Microsoft and their collection of software has only grown since then.

Get a clue, man. Programmers and technology professionals focused on Microsoft products will be working and generating income for many, many years. Your prediction is completely bunk. Security only became a major focus once the Internet became widespread, and that's only been the last 15 years. Since then, EVERY company has put more emphasis on security, which means that every company and software package has identified an increasing number of software vulnerabilities over the past x years.

The logical prediction, is... the longer and harder a company focuses on security, the more security problems they'll find... and then be able to fix, and the more vulnerabilities they fix, the more secure the product will be over time.

Microsoft and their technology base is not in any danger of being wiped away. At least, not outside of the world in your head.

The people I feel sorry for, are the people who blindly drum away at their keyboard, writing software and GIVING IT AWAY for (to be) FREE, while complaining that the market is drying up and IT professionals can't get good jobs... and all the while they live in this false reality where their Mac/Linux/BSD/Atari system is completely secure, and Microsoft is losing ground.

[GrandpaN1947]

Don't be deceived

Along with these security updates will be other validation tools to make sure you're using legal MS applications. I didn't know this was a security problem.

Has anyone noticed their systems getting more unstable? Perhaps this is co-incidence with Vista coming out soon. I sure hope Apple rescues us from MS crap. Will Vista be considered spyware?

[BKHerbert]

WGA a barrier to the updates...

Once again, MS has made it so that you cannot download the updates unless you first accept a WGA update. (Which they recently stated would not be prerequisite for security fixes...)

For the record, I paid full retail for my copy, but I will NOT "let E.T. phone home" to the mother-ship everytime it feels like it. So, does this mean that if I refuse to capitulate to the WGA blackmail, and the security patches are not applied, and my machine gets hacked, I can sue MS for not allowing me to patch this piece of crap that shouldn't have holes in it in the first place?

MFT

[Vetti]

August update disabled my keyboard

After working on my computer for a few hours, I was prompted that I needed to restart my computer to finalize the security updates.

However, as the computer was starting back up, I heard this fast beeping sound, then a black screen popped up that said something to the effect that the keyboard was not responding.

After the computer was completely up and running, I tried to use the keyboard, and sure enough, it didn't work. So I performed a system restore to earlier today, and everything worked perfectly. Obviously some problem with the security update.

[extinctone]

I dunno about that, I think a key was stuck.

If you saw an error message in the black screen that first appears as your PC starts up, that would be a hardware issue. That error happened before any software started to load, Windows or not. I'm willing ot bet a key was temporarily stuck especially if you heard beeping.