Microsoft fixes 26 vulnerabilities

Redmond (USA) – It was undoubtedly those weeks of fire that just passed by the Microsoft security team. In fact, 26 patches have been distributed in these days by the big Redmond, a number to which the recent fix for the well-known Internet Explorer VML bug must be added.

New vulnerabilities are exposed in 10 security bulletins , five of which related to Windows, four to Office and one to MS.NET Framework. The flaws classified as “critical”, therefore usable to execute code remotely, are in all 15, and most concern Office.

“This is a record number of vulnerabilities that were patched in just one month,” said Monty Ijzerman, senior manager of McAfee Avert Labs’ Global Threat Group. “Crackers are increasingly focused on exploiting desktop application vulnerabilities rather than network infrastructure vulnerabilities,” said Mauro Toson, Symantec Italia presales manager. “The amount of vulnerabilities detected this month confirms this trend, so users should consider patching as a critical component of an effective security strategy.”

The two most serious Windows problems involve the shell (MS06-057) and XML Core Services (MS06-061). The first has been known since last July, but its true gravity only became evident last week, when some websites began to exploit the weakness to spread spyware and Trojans. The flaw, which affects both Internet Explorer and Windows Explorer, is caused by a buffer overflow of the WebViewFolderIcon ActiveX control included in Windows 2000, XP and 2003: in the latter platform Microsoft considers the danger of the bug to be of moderate level.

The second critical Windows flaw is instead caused by a buffer overflow in Extensible Stylesheet Language Transformations (XSLT), a component behind XML Core Services and XML Parser. Again, the problem affects Windows 2000, XP and 2003, and is considered to be of the greatest severity on all platforms.

The same bulletin relating to XML Core Services also describes a second vulnerability, this time with the risk class “important” (“low” in the case of Windows Server 2003), which can be exploited by malicious websites to intercept personal information that user posted on other sites.

Bulletins MS06-058, MS06-059, MS06-060 respectively provide details on some flaws in PowerPoint, Excel and Word which, depending on the case and the version of Office used, can allow an attacker to take control of a remote computer. The bugs described in the bulletin are of similar severity MS06-062 related to some generic components of Office and to Publisher.

The Internet Storm Center (ISC) advises that proof of concept and public exlpoits already exist for many of Office’s weaknesses : for this reason it invites users of the famous office suite to be very cautious when opening documents from unknown sources.

Finally, the bulletins are reported: MS06-063 which describes an “important” flaw in the Server service that can be exploited for denial of service (DoS) attacks; MS06-056 related to a moderate risk vulnerability in ASP.NET that could allow an attacker to intercept personal information; MS06-065 , which addresses a moderate risk buffer overflow in Windows Packager; And MS06-064 affecting several low-risk vulnerabilities related to the Windows TCP / IP implementation, the most serious of which could allow a DoS attack.

A summary table of the security bulletins and their severity level has been published here by the ISC.

Microsoft has warned its users that, for “network problems related to the Microsoft Update platform”, there were delays in the automatic patch deployment process . These can however be downloaded manually from the links provided within the bulletins.