Channels ▼


Microsoft Patches Record 26 Vulnerabilities

In this month's patch release, Microsoft on Tuesday fixed a record number of 26 vulnerabilities, 15 of which the Redmond, Wash.-based vendor deemed critical.

The vulnerabilities affect 16 different applications, and include four critical flaws each in Microsoft Office (MS06-062), Word (MS06-060), Excel (MS06-059) and PowerPoint (MS06-058).

The vulnerabilities affecting Powerpoint and Excel have already been exploited in the wild in recent months. These include an Excel zero-day exploit that employs Trojan.Hongmosa, and a Word zero-day exploit that uses Trojan.MDropper.Q, according to a Tuesday bulletin sent to Symantec Deepsight subscribers.

Microsoft has also patched a code execution vulnerability for Internet Explorer (MS06-057) that stems from a glitch in the WebViewFolderIcon ActiveX object, which has also been exploited in the wild in recent weeks.

"This patch is definitely a must because exploits are circulating and we're seeing attacks on peoples' systems," said Rohit Dhamankar, senior manager of security research at 3Com's TippingPoint division.

However, according to a post on the SANS Internet Storm Center Website, the threat is diminished by the fact that Internet Explorer on Windows Server 2003 by default runs in a restricted mode known as Enhanced Security Configuration.

TippingPoint's Zero Day Initiative, which pays security researchers for turning in undisclosed vulnerabilities, was responsible for alerting Microsoft to three critical flaws in Office applications, said Dhamankar. "This proves [the initiative is] a safe way for people to turn in vulnerabilities that prevents being used and sold for zero day attacks," he added.

However, Monty Ijzerman, senior manager at McAfee's Global Threat Group, believes that attackers are already sifting through the fresh patches to gain ammunition for future exploits.

"Now that the patches are out, it's fairly easy to do a comparison between the original components and the patch components to see the vulnerability. It's not easy, but for a skilled attacker it's not difficult either," Ijzerman said.

Another patch (MS06-061) addresses a flaw in the Extensible Stylesheet Language Transformations (XSLT), which enables viewing of XML content and affects Internet Explorer and Outlook. An exploit of this vulnerability would require the user to click on a link in an e-mail or Web page.

User education is needed to help people avoid falling victim to the various social engineering tactics attackers employ with client side exploits, according to Jonathan Bitle, a manager of technical accounts with Qualys, Redwood Shores, Calif.

"Attackers are increasingly taking advantage of the weakest link in the chain, the end-user," Bitle noted.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.