Microsoft Patchday: Twelve updates for 23 holes

Microsoft released updates today to close 23 security holes in all. The majority of the flaws described in the twelve security bulletins have been classified by Microsoft as critical, since they could allow malicious code to be planted onto a Windows PC without significant activity on the user's part. In many cases, a visit to a specially prepared website or the opening of an Office document is sufficient. An exploit is already circulating for one of the eight overall holes in Internet Explorer that were made public today, reports the US-CERT. It is already being used on specially crafted websites, although US-CERT did not indicate how long this has been going on. The other holes in the browser are partially based on errors in the rendering of HTML pages. Users should install the newly available updates as soon as possible.

Outlook Express 6 also has a problem with the depiction of prepared HTML documents. Erroneous MHTML pages (MIME Encapsulation of Aggregate HTML Documents) can provoke a buffer overflow through which code can be planted and executed. In this case, the opening of a specially prepared email is enough to infect the PC with a Trojan, for example. The software company also removed a buffer overflow in an Active X control that is used by Windows HTML help.

An update for Powerpoint is intended to close two security holes that have been the targets of exploits since the last Patch Tuesday in July. Using manipulated presentations, attackers made targeted attempts to infect corporate employees with spy software. Beyond the Powerpoint update, Microsoft also rolled out another update for Office to remove an error in Visual Basic for Applications. It too enables the infection of a PC through specially prepared documents.

The Redmond-based company has also closed two holes in the Windows Hyperlink Object Library (hlink.dll) that could execute malicious code with no more than a click on a special link in a document or email. Notable as a hole that has been public since the end of July, Microsoft did not categorise it as critical.

By contrast, the vulnerability in Server Service from Windows, already the target of an update on the last Patch Tuesday, did merit the critical designation. Shortly after that last update, an exploit emerged that demonstrated that not all of that product's problems had been eliminated. The exploit culminated only in a server crash, however. The patch released today should close a "remote code execution" hole in that service. Whether this is the same problem or a new one still needs to be determined through testing.

Two flaws in Windows' DNS functionality must also be regarded as highly volatile. Among other effects, the DNS client can be passed malicious code through a server's DNS packets. One of the two flaws can already be triggered through a forced DNS resolution when visiting a website or potentially even when previewing an email. For the other, the attacker must either be located between the DNS server being used and the client, or arrange for the former to send a special query to a manipulated server.

Two of the announced security holes affect only Windows 2000: a flaw in the Microsoft Management Console for the rendering of HTML pages as well as a flaw in the kernel through which users can increase their rights on a PC. A privilege elevation vulnerability is also hidden in the kernel of XP and Server 2003. A new hole has been found as well through which code could be inserted into the computer using untreated exceptions. According to the bulletin, this is all triggered through a visit to a specially prepared website, but the software giant did not provide details on this odd-sounding hole.

Finally, Microsoft has also ironed out a vulnerability in Windows Explorer that surfaces when performing a drag & drop between Windows Explorer and Internet Explorer. One hopes that this update will not produce further damaging side effects as last happened with the Windows Explorer update from April, which resulted in a "patch for the patch".

Patch Tuesday for August continued the trend of rapidly increasing numbers of serious security holes. The number of bulletins for critical holes this year has already surpassed the total for all of 2005. 29 bulletins in all bearing the designation "critical" were released during 2005, while 33 have already surfaced between January and August 2006. This development appears all the more dramatic when one looks not at the updates themselves, but rather at the number of flaws being categorised as critical. While "only" 37 of these were found in 2005, there have already been 52 altogether up to and including the August patchesn – and the year is far from over.

Please see also: