Organizations large and small should deploy Microsoft's June security patches without delay because experts say a variety of exploits are already targeting the flaws.
Microsoft released 13 security bulletins Tuesday, the biggest monthly patch rollout since February 2005, when the software giant released 12 security bulletins. Eight of this month's updates are critical and address vulnerabilities in Windows, Internet Explorer, Exchange, Media Player, PowerPoint and Word.
According to various security firms and published media reports, at least two pieces of exploit code target security holes Microsoft brought to light on Tuesday. Most of the other exploits involve flaws that the information security community had already been aware of, which were fixed in Tuesday's patch update.
One proof-of-concept exploit, released by a penetration testing vendor to customers, targets a flaw outlined in Microsoft's MS06-024 bulletin. It fixes a critical remote code execution hole in Windows Media Player versions 9 and 10 involving how the program processes Portable Network Graphics (.png) images.
A second proof-of-concept exploit, also released by a penetration testing vendor to customers, targets flaws outlined in MS06-025, which fixes a pair of critical remote code-execution flaws affecting versions of Windows 2000, XP and Server 2003.
Vulnerability researchers typically distribute proof-of-concept exploit code so customers can write rules for intrusion defense systems (IDS) and vulnerability scanners, enabling them to detect new attacks. The code is also used for academic research. Microsoft has frowned on the practice, saying conceptual exploits can be tweaked for malicious purposes.
Another exploit, available prior to Tuesday's patch release, targets the widely publicized zero-day vulnerability in Word. The vendor's word-processing program is subject to what Microsoft calls a critical malformed object pointer execution flaw that could enable remote code execution via a specially crafted Word file. The flaw is addressed in MS06-027.
Additional exploits target privilege escalation and denial-of-service vulnerabilities in Windows Server Message Block that were addressed in MS06-030.
Additional denial-of-service exploits target a "moderate" Windows mutual authentication flaw in RPC that affects Windows 2000 SP4. This was addressed in MS06-032.