Microsoft doesn't close all holes on June patch day

Microsoft released a total of five security bulletins in its June Patch Tuesday to close vulnerabilities in Windows, Internet Explorer and Office. However, a privilege escalation hole for which an exploit is being circulated on the net remains unpatched.

The security patch for Office 2003 SP3 has been rated as critical because it closes a vulnerability that is already being exploited for attacks by cyber-criminals. The issue also affects Office 2011 for Mac OS X, and an appropriate patch for this version has also been released. Office stumbles when presented with specially crafted PNG files in documents and this causes a buffer overflow that can be exploited to inject malicious code. Another critical update is the cumulative patch for Internet Explorer, which fixes a total of 19 security holes in all versions of IE that can lead to malware infections when browsing the internet.

The remaining three bulletins affect all versions of Windows and fix a privilege escalation hole in the print spooler, a denial-of-service hole in the network stack and a kernel issue that could allow information disclosure. According to Microsoft's release announcement, the privilege escalation hole is not the one for which an exploit has been in circulation since early June.

The public exploit allows anyone with access to any type of account to execute code at system privilege level – a guest account being perfectly sufficient. The hole has been known since mid-May. It was discovered by Google security researcher Tavis Ormandy, who publicly disclosed it without prior warning. Ormandy released an exploit on the internet a few weeks later. According to currently available information, all versions of Windows are affected.

With its latest patch day, Microsoft has added various features to Windows Vista and 7 that affect the central management of the Certificate Trust List (CTL) and were previously only available in later versions of the operating system. For example, administrators can now determine that systems within their domain will automatically receive the CTL even if they don't participate in Windows Update. The update also enables administrators to determine which root certification authorities on the list are to be trusted by the computers in their care.

(djwm)