June 13, 2006 1:37 PM PDT

Microsoft plugs 21 security holes

Microsoft has issued patches for 21 flaws in its software, saying all but two of them could let an intruder run malicious code on a compromised computer.

The company sent out a dozen security bulletins on Tuesday as part of its regular monthly patch cycle. Eight of the bulletins are labeled "critical," which is Microsoft's highest risk rating. They cover problems with Windows, Internet Explorer, Word, PowerPoint and Exchange Server.

The number of vulnerabilities mean this is Microsoft's largest clutch of patches to date, security experts said.

"There has never been a Microsoft security update to address 21 issues and never one with 19 potential remote execution flaws," said Amol Sarwate, the manager of the Vulnerability Management Lab at flaw management specialist Qualys.

The most important bulletin, MS06-025, is a fix for routing and remote access vulnerabilities in Windows, said Jonathan Bitle, a senior product manager at Qualys.

"These (vulnerabilities) take advantage of two listening services that run on the host and listen for traffic coming in through ports that are frequently utilized," Bitle said. "While a lot of these (other Microsoft) remote execution flaws require interaction (by the user), this one does not. A user doesn't have to click on a link or open an attachment."

The routing and remote access are deemed critical for systems running Windows 2000, and "important"--the second risk ranking--for Windows XP with Service Pack 1 or 2, and for Windows Server 2003 with Service Pack 1.

Qualys is also suggesting that IT managers should jump on another patch, for an issue in Microsoft Exchange Server running Outlook Web Access (MS06-029), even though Microsoft has tagged it only as important.

"If a user checks their e-mail using Outlook Web Access, all they need to do is just open an e-mail in IE and it will cause the script in their e-mail to be remotely executed," Sarwate said.

Over the next days and weeks, IT administrators should be busy deploying the bundle of patches across their network, experts said.

"There are a couple different vulnerabilities. Some are IE browser problems, some affect the Media Player, ART imaging and JScript," said Chris Andrew, vice president of security technologies at PatchLink. "IT managers will probably have to patch every single desktop."

Four of the critical updates deal with security holes that could allow remote code execution in all versions of Windows. One is a cumulative update for the Internet Explorer component (MS06-021), affecting versions 5.01 and 6 of the Web browser. Another (MS06-024) deals with a problem with Windows Media Player, versions 7.1, 9 and 10. The others cover vulnerabilities in Microsoft Jscript (MS06-023) and ART image rendering (MS06-022).

Another critical Windows bulletin, related to bugs in its graphics rendering engine (MS06-026) affects Windows 98, Windows 98 Second Edition (SE) and Windows Millennium Edition (ME) only.

Two updates affecting Office were also given the highest risk rating. A vulnerability in Word (MS06-027) also hits Microsoft Works. The bulletin for a flaw in PowerPoint (MS06-028) replaces an earlier patch.

Microsoft also issued a fix for an important flaw in Windows' Server Message Block (SMB) component (MS06-030) that could enable attackers to elevate their level of system privileges. The "moderate" bulletins covered an RPC Mutual Authentication (MS06-031) problem and a TCP/IP problem (MS06-032) in Windows.

See more CNET content tagged:
Qualys Inc., bulletin, security hole, Microsoft JScript, information technology manager


Join the conversation!
Add your comment
is this really news anymore
Microsoft issuing security patches, is this really news anymore? When they find a problem, then fix them and just about every week they find something and they fix it. It's pretty commonplace now, so why keep reporting it? Now, if they did something really different, like fix all problems at once, that would be interesting!
Posted by thedreaming (573 comments )
Reply Link Flag
Well people benifit by knowing that they need to patch their machine
Its is good to know through news about the defects because, it may help people to patch their machines.

Look at the brighter side, microsoft is finding bugs and fixing them instead of doing nothing!!

Fixing all security bugs is not gonna happen. There are too many smart hackers out there.
Posted by Tanjore (322 comments )
Link Flag
Not News?
How is this not news? Not everything in the news has to be people getting killed or servers blowing up. I'm sorry that this article didn't excite you. But it helps people like me who have to approve updates for my company.
Posted by Gasaraki (183 comments )
Link Flag
News? Maybe. Useful? Probably not...
It may be news but unless your Windows computer isn't already on broadband, it's not really helpful for anyone except the scorekeepers. MS updates are automatically (by default) downloaded and installed on their systems. I don't see how knowing about these automatic updates will help those who, by the time they read about it, have already installed them.
Posted by sanjef (31 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.