As expected, the recently disclosed vulnerabilities in Microsoft Word, which already are being exploited, weren't patched. Tuesday's seven bulletins, however, were one more than expected; last week, Microsoft announced that it would post just six updates.
"It's a pretty typical patch day," says Chris Andrew, the VP of security technologies for patch management vendor PatchLink. "Both the IE and Windows Media Player [vulnerabilities] are ones we've seen over and over again."
The year's last scheduled updates included five that targeted Windows and one each aimed at Windows Media Player and Visual Studio 2005, the latter a development platform. Of the 11 vulnerabilities, five were judged "critical," five "important," and one "moderate." Added to the 71 updates already posted, December's group raised the 2006 total to 78, six more than the previous record set in 2002.
A cumulative update to Internet Explorer fixed four flaws in the 5.01 and 6.0 versions of Microsoft's browser, and accounted for two of the five critical patches released Tuesday. Both critical issues involve scripting problems in the browser; one is a scripting error-handling bug, the other is in how IE processes Dynamic HTML. Both can be exploited by attackers who have crafted a malicious Web site, then duped users into visiting the URL.
The other two bugs in MS06-072 were pegged "important" and "moderate," the second- and third-from-the-top rankings, respectively, in Microsoft's four-step system. Both could result in the unintended disclosure of information stored in the PC's Temporary Internet Files folder. According to Microsoft, none of the IE bugs have been exploited, and IE 7, the newest version of the browser now available for Windows XP users, isn't vulnerable.
MS06-073 also patches a critical vulnerability. The update for Visual Studio 2005 plugs a hole that was made public more than a month ago, and for which exploit code has been circulating. The update fixes a buggy ActiveX control used by a Visual Studio wizard.
The month's late addition, MS06-078, patches another zero-day vulnerability in Windows Media Player that could allow criminals to hijack PCs by creating malformed .asx playlists and enticing users to dodgy sites. The bulletin was tagged "critical."
Security vendor Symantec named MS06-078 as one of the two updates that should be deployed right away, in part because it affects Media Player versions 6.4, 7.1, 9, and 10. "[This] reconfirms that client-side vulnerabilities are one of the most efficient and well-known methods by which computers can become infected," said Oliver Friedrichs, the director of Symantec's security response group, in an e-mail. "Users are urged to install patches as soon as possible."
The four remaining updates were all pegged "important" by Microsoft.
One of the four, however, should have been labeled "critical," argues Gunter Ollmann, the director of IBM's Internet Security Systems X-Force threat research team. "One of the 'important' bulletins is actually critical to enterprise customers," Ollmann says.
That bulletin, MS06-074, was marked as "important" by Microsoft because the affected SNMP (Simple Network Management Protocol) service isn't installed by default on any edition of Windows. But to Ollmann, that's beside the point. "It may not be a default installed service, but SNMP is widely deployed in enterprises," says Ollmann. "It's pretty much the de facto protocol for monitoring server integrity. This is a critical patch."
Users can obtain the December patches via Windows' Automatic Update, from the Microsoft Update service, or through other Microsoft software and services, including the enterprise-grade Windows Server Update Services and Software Update Services.
