In association with heise online

13 September 2006, 08:14

Three holes plugged on Microsoft's Patch Tuesday

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft used the September Patch Tuesday to close two holes in the Windows operating system and one vulnerability in MS Office – but not the flaw in Windows 2000 that is already under active attack.

The sole security hole classified as critical involves Microsoft Publisher, a component of the Office suite. Errors in the processing of specially prepared Publisher documents (.pub) can allow malicious code to be smuggled in and executed with the user's privileges. After the update, users will no longer be able to open documents created in Publisher 2.0; more information is provided by Microsoft in a Knowledge Base Article.

Microsoft also classified a security hole in the Microsoft Message Queuing Services (MSQM) as important. MSQM upgrades the support for Pragmatic General Multicast (PGM), a type of multicast with quality of service elements. Attackers can use manipulated PGM packets to plant arbitrary program code on the computer and even achieve complete control of it. This service is not in fact pre-installed on standard Windows installations.

A moderate rating was applied to a cross-site scripting hole in the Indexing service. It does not examine search queries properly. That makes it possible to execute script code in the context of another user, and hence forge content and spy on information.

As announced recently, two additional patches unrelated to security will be released via Windows Update. One update eliminates errors in the audio components of Windows, the other fixes a problem in the interaction between Microsoft's filter manager and the various update mechanisms, which could potentially prevent updates from being installed on the affected computers.

The relatively low number of patches will hopefully provide administrators a chance to catch their breath after the patch flood of recent months – insofar as no other unexpected incompatibilities cause headaches. The hope still remains that the Redmond-based software house will soon release a patch for the recently exposed critical hole in Word and not allow another month for it to terrorise the computer landscape. Until then, the advisory remains in place to monitor all .doc files with increased vigilance.

Finally, this Patch Tuesday also saw some old updates revisited – see this article for details.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit