Microsoft Releases Nine Patches

Microsoft's August "Patch Tuesday" update contains nine security patches touching on various Windows-based products and applications. Six of the patches fix critical vulnerabilities that could give an attacker full control of a machine.

The Critical security issues addressed possible remote code execution (RCE) exploits that affect Internet Explorer, Microsoft Office and its suite of programs, and certain versions of Windows and related peripherals.

The first critical security addendum involves possible RCE attacks on XML Core Services through the use of what Redmond called a "specially crafted Web page" via IE. This patch is for all supported editions of Windows 2000, Windows XP, Vista, Office 2003 and Office 2007.

A related critical patch deals with a cumulative security update for IE. The patch mitigates three potential risks stemming from RCE attacks via Web browsers. These vulnerabilities address the kill bit for ActiveX controls as well as the way certain strings in Cascading Style Sheets (CSS) files are configured and aggregated for Web publishing. The patch is for IE 5.01, IE 6 Service Pack 1, and Windows XP Home and Professional editions.

Staying in the realm of possible intrusions through specially crafted Web pages, another critical patch focuses on vulnerability to attacks on Object Linking and Embedding (OLE), affecting Windows 2000, Windows XP, Office 2004 for Mac and Visual Basic 6.

Additionally, Microsoft said an RCE vulnerability exists in the Graphics Rendering Engine or Graphics Device Interface that can be exploited through the use of extraneous yet potentially harmful images sent through e-mail attachments. This critical security update is for all supported editions of Windows, with the exception of Windows 2003 Server SP 2 and Windows Vista.

Turning to Office applications, Redmond, as it has in recent months, released an update for Excel. Similar to recent patches involving PowerPoint and Word, the fix can help prevent snafus that can happen as the result of corrupt Office files. The only critical Excel patch applies to Office 2000. The remaining patches were described as Important, and pertain to Office XP, Office 2003 and 2004, Office 2004 for Mac and Excel Viewer 2003.

Assessing the latest patches, Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, pointed out that a good number of critical patches involve client-side vulnerabilities that can be avoided.

"So if I'm [a security administrator], I would limit the use of nonpertinent sites you're browsing until everything gets fully patched," said Schultze. "This may mean cutting back on checking up on what's going on with fantasy football."

Schultze added that he thinks Microsoft is doing a great job keeping server-side issues at bay.

Meanwhile, to round out Patch Tuesday, Microsoft released patches for three Important issues regarding user rights on Windows Media Player, code privilege manipulation weaknesses for Windows Gadgets (i.e. Contact Gadget), and elevation of user privilege vulnerabilities on Virtual PC and Virtual Server.

Redmond also announced an update to its Kernel Patch Protection that will "protect code and critical structures in the Windows kernel from modification by unknown code or data," according to a blog entry from Microsoft's Security Response team. The update is for 64-bit OSes.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.