In-Depth
Microsoft Patches Three Flaws, Zero-Day Still Open
As expected, Microsoft released three patches last week to fix one critical Office vulnerability as well as two Windows flaws.
As expected, Microsoft released three patches last week to fix one critical Office vulnerability as well as two Windows flaws.
The critical patch (MS06-054) addresses a hole in Microsoft Publisher that "could allow remote code execution" -- a common issue with patches Microsoft deems critical. There do appear to be issues with installing this patch; more information is available in the references links on this page of Microsoft's Web site.
Symantec Security Response rates the Publisher vulnerability to be the most critical of the security bulletins. This remote client-side execution vulnerability can be triggered by a malformed string from within a Publisher file (.pub). The company said attacks may occur through files processed by an affected application, via e-mail attachments, or by hosting them on a malicious Web page. It warns that "A successful attack requires the user to open the file and will cause arbitrary code to be executed with the privileges of the currently logged in user. This vulnerability affects Publisher 2000, 2002 and 2003."
The two Windows-related patches are rated important (MS06-052) and moderate (MS06-053), and address flaws with Reliable Multicast Program and indexing services, respectively. See the related links for more information.
Redmond also re-released two patches (MS06-040 and MS06-042) originally included in last month's "Patch Tuesday" -- the company issued updates in late August to fix problems with the patches.
Noticeably absent from today's offerings was a patch that would fix the current zero-day Word exploit. Microsoft said in the Security Advisory it issued for the flaw last week that it was considering an out-of-cycle patch for that issue.
"It was too soon to pull together because [Microsoft] acknowledged it on the sixth...but at the same time, it is zero-day so it should be a big priority," commented Amol Sarwate, director of the vulnerability research lab at Redwood Shores, Calif.-based Qualys, a provider of enterprise Software as a Service (SaaS) security and compliance software.
Sarwate recommends IT professionals educate their users about the flaw until the patch is released.
To view today's official advisory, go here.
About the Author
Becky Nagel is vice president of AI for 1105 Media, where she specializes in training internal and external customers on maximizing their business potential via a wide variety of generative AI technologies as well as developing cutting-edge AI content and events. She's the author of "ChatGPT Prompt 101 Guide for Business Uses," regularly leads research studies on generative AI business usage, and serves as the director of AI Boardroom, a new resource for C-level executives looking to excel in the AI era. Prior to her current position she was a technical leader for 1105 Media's Web, advertising and production teams as well as editorial director for a suite of enterprise technology publications, including serving as founding editor of PureAI.com. She has 20 years of enterprise technology journalism experience, and regularly speaks and writes about generative AI, AI, edge computing and other cutting-edge technologies. She can be reached at bnagel@1105media.com.