As expected, Microsoft released six patch bulletins -- five of them critical -- to fix flaws in Internet Explorer and several components of the Windows operating system. Attackers have already exploited some of the flaws
Meanwhile, the software giant and other security experts warned Thursday that exploit code has been released for one of the most serious flaws patched this month.
Microsoft urged customers to install all the patches immediately. Online outlaws could exploit the most critical flaws to take control of targeted machines. Once hijacked, these machines could be used to install programs; view, change, or delete data; or create new accounts with full user rights, the software giant warned.
In a message to customers of its DeepSight Threat Management Service, Cupertino, Calif.-based antivirus giant Symantec Corp. said the two most critical bulletins are MS06-070, which addresses a memory corruption flaw in Windows' Workstation service; and MS06-071, which addresses a flaw in the XMLHTTP ActiveX control within Microsoft XML Core Services.
The first flaw could be exploited by remote attackers on Windows 2000, Windows XP and possibly Windows Server 2003 systems, Symantec said, adding that a wide variety of component technologies and services are impacted by this issue, making the environment ideal for a potential worm attack. Symantec said the XML Core Services flaw is also serious because all supported versions of Internet Explorer (IE) make use of the program, including the recently-released IE 7.
"Many of the issues addressed in this month's batch of patches attend to publicly exploited issues," Alfred Huger, senior director of development for Symantec Security Response, said in a statement. "Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible."
Security experts warned that exploit code has already been released for the Workstation service flaw, raising the possibility of an attack on Windows 2000 machines similar to last year's Zotob outbreak.
"Microsoft is aware of public proof-of-concept code targeting the vulnerability addressed by security update MS06-070," Microsoft said in an advisory Thursday. "At this time Microsoft has not seen any indications of active exploitation of the vulnerability." The software giant has activated its emergency response process and is continuing to investigate, however.
This month's other critical bulletins are:
MS06-067, a cumulative update for IE that fixes several flaws. Some of the flaws are in DirectAnimation ActiveX controls and could be exploited if the ActiveX controls are passed unexpected data. "An attacker could exploit these vulnerabilities by constructing a specially crafted Web page that could potentially allow remote code execution" if a user visited the page, Microsoft said. Another flaw is in how IE interprets HTML with certain layout combinations. Attackers could also exploit this by luring users to a specially crafted Web page.
MS06-068, which fixes a flaw in how Microsoft Agent handles specially crafted .ACF files. An attacker could exploit the vulnerability by constructing a specially crafted Web page and luring users to it.
MS06-069, which fixes several flaws in how Adobe's Macromedia Flash Player handles flash animation .swf files. An attacker could exploit the flaws by constructing a specially crafted .swf file, sticking it on a Web site and luring users there. The specially crafted .swf file could also be sent as an email attachment.
Finally, Microsoft released MS06-066, an "important" update fixing two flaws. One is a memory corruption flaw in Client Service for NetWare (CSNW), a component of Windows. The other is a denial-of-service flaw an attacker could exploit by sending a specially crafted network message to an affected system.
One issue Microsoft didn't address this month is a zero-day flaw in Visual Studio 2005, which was announced Nov. 1. A Microsoft spokesperson said more time is needed to develop and test that fix.