Three holes plugged on Microsoft's Patch Tuesday
Microsoft used the September Patch Tuesday to close two holes in the Windows operating system and one vulnerability in MS Office – but not the flaw in Windows 2000 that is already under active attack.
The sole security hole classified as critical involves Microsoft Publisher, a component of the Office suite. Errors in the processing of specially prepared Publisher documents (.pub) can allow malicious code to be smuggled in and executed with the user's privileges. After the update, users will no longer be able to open documents created in Publisher 2.0; more information is provided by Microsoft in a Knowledge Base Article.
Microsoft also classified a security hole in the Microsoft Message Queuing Services (MSQM) as important. MSQM upgrades the support for Pragmatic General Multicast (PGM), a type of multicast with quality of service elements. Attackers can use manipulated PGM packets to plant arbitrary program code on the computer and even achieve complete control of it. This service is not in fact pre-installed on standard Windows installations.
A moderate rating was applied to a cross-site scripting hole in the Indexing service. It does not examine search queries properly. That makes it possible to execute script code in the context of another user, and hence forge content and spy on information.
As announced recently, two additional patches unrelated to security will be released via Windows Update. One update eliminates errors in the audio components of Windows, the other fixes a problem in the interaction between Microsoft's filter manager and the various update mechanisms, which could potentially prevent updates from being installed on the affected computers.
The relatively low number of patches will hopefully provide administrators a chance to catch their breath after the patch flood of recent months – insofar as no other unexpected incompatibilities cause headaches. The hope still remains that the Redmond-based software house will soon release a patch for the recently exposed critical hole in Word and not allow another month for it to terrorise the computer landscape. Until then, the advisory remains in place to monitor all .doc files with increased vigilance.
Finally, this Patch Tuesday also saw some old updates revisited – see this article for details.
- Microsoft Security Bulletin Summary for September 2006, Summary from Microsoft
- Security vulnerability in Pragmatic General Multicast (PGM) could allow remote code execution, Advisory MS06-052 from Microsoft
- Vulnerability in the Indexing service could allow cross-site scripting , Advisory MS06-053 from Microsoft
- Security vulnerability in Microsoft Publisher could allow remote code execution, Advisory MS06-054 from Microsoft
- September Patch Tuesday Fails to Address Zero-Day Exploit in MS Word, article at Chi Publishing