The Latest Trumors, Beverly Rosenbaum

More Microsoft Patches Released

In June, Microsoft issued 12 patches to address 21 security flaws.

This is the largest series of security updates issued in 2006, and yet there’s no mention of it on the www.microsoft.com opening web page. You would have to click on a small “Security” link under the heading “Resources” on the left side of the page. That would take you to another page, where you can choose “This Month’s Updates” and reach the URL www.microsoft.com/athome/security/update/bulletins/200606.mspx. There’s no point in saving a link to the final page, since it changes every month.
image
Many Are “Critical”
Eight of the patches were categorized as critical, their highest warning level. A critical vulnerability is defined by Microsoft as one in which exploitation by attackers can occur without any action on the part of the victim. The patches in this group protect against remote code execution in Internet Explorer, PowerPoint, Windows Media Player and the Windows operating system. Three of the remaining patches address “important” vulnerabilities, while one addresses a “moderate” vulnerability.
They were simply issued in the June monthly patch distribution, with a Security Bulletin summary just like all the others posted by Microsoft on the second Tuesday of every month. On rare occasions, public pressure regarding flaws like a zero-day vulnerability has resulted in interim releases. Their dry explanation seems to minimize the importance of the patches, so I had to look elsewhere for a more meaningful description of just how vulnerable my software would be without applying the “critical” updates.

Exactly What Gets Patched

One of the fixes is a patch for Microsoft Word, which was exploited by the Oscor-B or Ginwui Trojan horse in late May, which can infect computers when a Microsoft Word document is first opened. This update was promised then, to plug a security hole in Microsoft Word that hackers have been using to steal sensitive information and infiltrate corporate networks. Vulnerability tracking company Secunia (secunia.com) characterized this flaw as “extremely critical,” its most dire warning level. Versions of Word 2000, Word XP, Word 2003, and Microsoft Works suites for every year from 2000 to 2006 are affected, as well as Word Viewer 2003.
Microsoft also issued a patch to plug a critical flaw in PowerPoint that attackers could use to seize control over computers just by convincing someone to open a specially crafted presentation (.PPT) file. The vulnerability is present in all versions of PowerPoint shipped with Microsoft Office 2000, Office XP, Office 2003, as well as Office 2004 for Mac and Office v.X for Mac.
June’s patch bundle includes repairs for at least eight different flaws (four of them critical) in nearly all versions of Microsoft's Internet Explorer Web browser. Such critical flaws in IE are especially dangerous because they expose users to the risk of having their computer completely hijacked when they inadvertently visit a malicious Web site or click on a link that redirects them to one. Instructions showing would-be attackers precisely how to exploit at least two of these IE vulnerabilities have already been published on-line, although no attacks have yet been reported.
Another patch fixes a problem in the way Windows handles image files ending in .ART, an image format most commonly used by America Online. An attacker could exploit the vulnerability with a specially crafted image viewable through a Web browser or e-mail reader. This flaw affects nearly all versions of Windows, including Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME.
A critical update that corrects a problem with Microsoft’s implementation of JavaScript should be installed with the IE bundle. Otherwise flaws in this powerful and widely-used Web programming language can be used to install nasty programs. The JavaScript flaw is present in the same versions -- Windows Server 2003, Windows XP, Windows 2000, Windows 98, Windows 98SE and Windows ME.
Another critical update patches a flaw in nearly every version of Windows Media Player that Microsoft ever shipped (from 7.1 through 10), and another patch covers two critical flaws in Microsoft’s “Routing and Remote Access” service. This service is designed to let companies access their Intranet from the greater Internet, and could affect employees who work from home, since most organizations take several weeks to test security updates before deploying them across their networks (mainly to ensure that applying the fix won’t break other applications).
A “critical” update that fixes the problem in Microsoft’s graphics-rendering software apparently is only present in older versions of Windows, specifically Windows 98, 98 SE and ME. It’s disturbing to learn about flaws that are found exclusively in older versions of Windows, because Microsoft will stop shipping critical patches like these on July 11, when it officially ends support for Windows 98, ME and XP Service Pack 1 operating systems. See details at www.microsoft.com/windows/support/endofsupport.mspx.
The remaining updates issued to fix five other vulnerabilities rated as “important” or “moderate” should still be applied, to prevent viruses or on-line attackers from infiltrating and/or hijacking your computer.
It’s “Do-It-Yourself”
The burden of getting and applying these updates falls completely on the Windows and Microsoft products end users. Patches are available from the Microsoft Update Web site (update.microsoft.com/)or by activating Automatic Updates (www.microsoft.com/athome/security/protect/windowsme/updates.mspx). Office 2000 users must also visit Microsoft's Office Update site (office.microsoft.com/en-au/officeupdate/default.aspx) to download Office patches separately. And that will require that you have your Office 2000 installation CD handy, because the site usually asks for it before it will successfully install the updates.
While researching links for this article, I noticed the absence of vulnerability and patch information on the Microsoft home page. Instead there were displayed there a number of beta items and a heading for World Cup News with a link to their Microsoft Soccer Scoreboard installer. In 20 different languages. It must be, as they say on ABC’s Nightline, “a sign of the times.”
Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at trumors@hal-pc.org.