Microsoft released six security updates Tuesday, three of which address critical flaws in Excel, Windows and the .NET Framework. And it's the .NET issues in particular that have security experts concerned.
The software giant fixed three .NET flaws with the release of MS07-040, two of which allow attackers to launch malicious code remotely against client machines utilizing Microsoft's platform for building and running specialized applications. The company added that attackers could exploit the third flaw to access sensitive information on Web servers running ASP.NET.
Don Leatham, director of business development at Scottsdale, Ariz.-based PatchLink Corp., said IT administrators should deploy this fix with the highest urgency, given the pervasiveness of .NET.
"This seems to affect all versions of .NET, except the most recent (version 3.0)," he said. "If the user visits a Web site that runs Active Scripting code, which is very common in the Windows world, such a script could take advantage of this flaw."
While many experts are expressing similar views, the issues addressed in MS07-039 are of greater concern to Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn. Microsoft said that update fixes a flaw attackers could exploit in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 to launch malicious code remotely or cause a denial of service.
He said IT shops will always be dealing with clueless users, but when it comes to protecting the crown jewels, the domain controller, which is a key user authentication server in most organizations, is his greatest concern. "According to this bulletin, you can own my domain controller just by looking at it," he said. "I would patch this first."
The third critical bulletin released this month is MS07-036. Microsoft said it addresses a variety of flaws in its Excel application.
"These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file," Microsoft warned. "Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."
Microsoft rated two of the six bulletins as important. One is MS07-037, which fixes a flaw attackers could exploit to remotely launch malicious code if a user views a specially crafted Microsoft Office Publisher file. The other is MS07-041, which fixes another remote-execution flaw attackers could exploit by sending specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2.
"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said. "This is an important security update for all supported 32-bit editions of Windows XP Service Pack 2."
Finally, Microsoft released one bulletin with a moderate rating. MS07-038 fixes a Windows Vista flaw that could allow incoming unsolicited network traffic to access a network interface. "An attacker could potentially gather information about the affected host," Microsoft said.