News

Microsoft Releases 8 'Critical' Security Patches

The Redmond software giant released 12 patches -- eight of which are deemed "critical" -- as part of its regularly scheduled monthly security update.

• By Becky Nagel
• 06/13/2006

Three of the critical patches relate to vulnerabilities in Internet Explorer, while others deal with the Windows operating system, Windows Media Player, Word and PowerPoint flaws. All of the critical patches fix problems that "could allow remote code execution," as the company likes to say.

The critical patches are:

• MS06-021, Cumulative Security Update for Internet Explorer: Resolves several vulnerabilities in Internet Explorer that could allow remote code execution, four of which are rated "critical" for IE 6 for Windows XP SP 2 (multiple CVEs). The company recommends reading this Knowledge Base article for known issues with this patch.
• MS06-022, Vulnerability in ART Image Rendering Could Allow Remote Code Execution: This update resolves a vulnerability that could allow remote code execution when using Internet Explorer (CVE-2006-2378).
• MS06-023, Vulnerability in Microsoft JScript Could Allow Remote Code Execution: Resolves a vulnerability in JScript that could allow remote code execution when using Internet Explorer (CVE-2006-1313). Update should be installed at the same time as MS06-021 above to be effective.
• MS06-024, Vulnerability in Windows Media Player Could Allow Remote Code Execution: Deals with Windows Media Player PNG vulnerability CVE-2006-0025.
• MS06-025, Vulnerability in Routing and Remote Access Could Allow Remote Code Execution: Fixes Windows vulnerabilities dealing with RRAS memory corruption and RASMAN registry corruption (multiple CVEs).
• MS06-026, Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution: Fixes a graphics rendering vulnerability relating to the way Windows handles Windows MetaFile (WMF) graphics (CVE-2006-2376). Microsoft recommends reading this KB article for known issues relating to this patch, although the article does not address those issues at press time.
• MS06-027, Vulnerability in Microsoft Word Could Allow Remote Code Execution: Fixes a flaw related to a Word malformed object pointer vulnerability (CVE-2006-2492).
• MS06-028, Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution: Fixes a flaw in PowerPoint that could allow hackers to exploit administrator log-ins (CVE-2006-0022). Critical rating applies to PowerPoint 2000 only -- rated "important" for other versions.

There are also three patches rated "important" and one "moderate." They are:

• MS06-029, Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection: Fixes a script injection vulnerability that exists in Exchange Server running Outlook Web Access in which an attacker could exploit via a crafted e-mail message (CVE-2006-1193). Microsoft recommends reading this KB article before installing for known issues with this patch.
• MS06-030, Vulnerability in Server Message Block Could Allow Elevation of Privilege: This update resolves several vulnerabilities in Windows that require the attacker to validate logon credentials and be able to log on locally to exploit (multiple CVEs).
• MS06-032, Vulnerability in TCP/IP Could Allow Remote Code Execution: Fixes an IP source route vulnerability (CVE-2006-2379). Microsoft recommends reviewing this KB article for known issues with this patch.
• MS06-031, Vulnerability in RPC Mutual Authentication Could Allow Spoofing: This moderate-rated vulnerability fixes an issue with the RPC service that could enable an attacker to spoof trusted network resource (CVE-2006-2380).

For more information on all these patches, view the Microsoft Security Bulletin Summary for June 2006 found here.