Seven updates on Microsoft's patch day
As announced, Microsoft has released seven updates on its patch day in July. Three of the updates categorized as "critical" – the highest ranking – concern Microsoft Office, another Windows network services, and one the Windows DHCP client. In addition, two updates considered "important" were released for Internet Information Services (IIS) and the .NET framework 2.0.
Specifically, the Office updates remedy weak points in the display of GIF and PNG graphics (MS06-039), three vulnerabilities in the parsing of Office documents (MS06-038), and a total of eight holes in Excel (MS06-037). Attackers could reportedly use all of the Office holes to inject arbitrary malicious code by means of manipulated graphics files or Office documents. The holes not only affect Office versions 2003, XP, 2000, and 2004 as well as v.X for Mac, but also MS Project, MS Visio and MS Works, to the extent that they contain vulnerable Office components. The programming errors are categorized as "critical" for Office 2000 and Excel 2000, while the updates for the other versions are merely considered "important".
In contrast, Microsoft considers the hole in the DHCP client critical on all affected plattforms (Windows 2000, XP and Server 2000, MS06-036). Attackers might be able to use manipulated DHCP responses to take complete control of unpatched Windows systems that use DHCP for automated network configuration.
The vulnerabilities in the MailSlot network services and SMB (MS06-035) also concern current Windows versions. Attackers could use the hole in MailSlot, which Microsoft considers critical, to take complete control of vulnerable systems. MailSlot is a mechanism for communication between processes both locally and via networks on Windows. The best known MailSlot application is probably the Windows Message Service. The SMB hole is only of "low" priority. Attackers may have been able to use it to get knowledge via the net about the content of dispatched Windows network packets.
Attackers could use a hole in version 5.0, 5.1 and 6.0 of Internet Information Services (IIS) to inject arbitrary malicious code via the net and take complete control of vulnerable IIS servers (MS06-034). However, the attacker would either have to have valid IIS access data, or the server would have to allow Web content to be uploaded anonymously.
The update for .NET 2.0 (MS06-033) also concerns Windows servers and is categorized as important. Attackers could use a weak point in the framework to get around the security measures of ASP.NET to obtain direct access to objects in the applications folder. In this way, they might be able to access information that opens up other ways of attack.
In the light of the severity of the holes in the Windows network services, users are advised to install the updates quickly. Office users should also update their software immediately. Microsoft expressly advises users of unpatched Office programs to refrain from opening Office documents from unknown sources.
The holes in Internet Explorer reported by H.D. Moore in the course of his Month of Browser Bugs were not taken into consideration this patch day even though Moore claims that he informed Microsoft of these holes in March. The hole in Microsoft Word reported on Monday cannot be used to inject malicious code according to Microsoft's Security Response Center Blog, but instead only cause the program to crash.
- Microsoft Security Bulletin Summary for July, 2006, which includes tips and links on the individual updates