Home > Security News > Microsoft patches seven July security holes, five critical
Security News:
EMAIL THIS

Microsoft patches seven July security holes, five critical

By Bill Brenner, Senior News Writer
11 Jul 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Microsoft released seven security updates Tuesday -- five of them critical -- to fix vulnerabilities in Office, Excel, Windows and Internet Information Services (IIS).

In its July security bulletins, the software giant warned that attackers could exploit the most serious flaws to take complete control of affected machines and install programs; view, change or delete data; or create new accounts with full user rights.

More on Microsoft's July 2006 security bulletins

In a special partnership with Microsoft, Christopher Budd, security program manager with the Microsoft Security Response Center (MSRC), offers SearchSecurity.com readers his exclusive detailed analysis of the software giant's monthly security bulletins.
Inside MSRC: Debunking Excel exploits
MS06-037 is a critical bulletin that Microsoft recommends IT administrators make the month's top patching priority. It patches eight different flaws in Microsoft Excel, including a zero-day flaw that attackers have already exploited.

The other critical bulletins are:

  • MS06-039, which addresses a remote code execution flaw in Microsoft Office. Attackers could exploit the flaw by constructing a specially crafted .png file, which could then permit them to launch malicious code.

  • MS06-038, which addresses three Microsoft Office flaws that appear when malformed strings and properties are parsed by any of the affected Office applications. "Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious Web site," Microsoft said. "An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution."

  • MS06-036, which addresses a buffer overrun flaw in Windows' Dynamic Host Configuration Protocol (DHCP) client service. Attackers could exploit the flaw to take complete control of the affected system, Microsoft said.

  • MS06-035, which addresses two Windows flaws: a mailslot heap overflow vulnerability in a server driver that could allow an attacker to take complete control of the affected system; and a server message block information disclosure flaw in the server service that could allow an attacker to view fragments of memory used to store server message block traffic during transport.

    Microsoft also released two security bulletins it rated as important. They are:

  • MS06-034, which addresses a remote code execution flaw in Internet Information Services (IIS). "An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

  • MS06-033, which addresses an information disclosure flaw attackers could exploit to bypass ASP.Net security and gain unauthorized access to objects in the application folders explicitly by name.

    As it does every month, Microsoft also released an updated version of its Windows Malicious Software Removal Tool and will host a webcast Wednesday to address any questions IT administrators have regarding this month's updates.

    Tags: Security Patch ManagementSecuring Productivity ApplicationsWeb Server Threats and CountermeasuresWeb Application and Web 2.0 ThreatsVIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


    RELATED CONTENT
    Security Patch Management
    Adobe fixes critical Shockwave Flash Player flaw
    Mozilla patches 11 Firefox security flaws, JavaScript errors
    Microsoft patches WebDAV security vulnerability in bevy of updates
    Adobe issues first quarterly patch release fixing 13 flaws
    Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities
    Adobe shifts to Microsoft patching process, incident response plan
    Software delivery could fix software patching issues
    Microsoft updates Office to address serious PowerPoint vulnerabilities
    Microsoft to patch critical PowerPoint zero-day flaw
    Firefox update addresses several security flaws

    Securing Productivity Applications
    Adobe ColdFusion websites being compromised
    Adobe fixes critical Shockwave Flash Player flaw
    Adobe issues first quarterly patch release fixing 13 flaws
    Adobe shifts to Microsoft patching process, incident response plan
    Balancing security and performance: Protecting layer 7 on the network
    Software Piracy pandemic needs government role, better vendor antipiracy plans
    McAfee to acquire Solidcore Systems for whitelisting
    Adobe issues Reader update fixing zero-day flaw
    Microsoft to patch critical PowerPoint zero-day flaw
    PCI DSS: Best practices for compliance

    Web Server Threats and Countermeasures
    Stolen FTP credentials likely in massive website attacks
    Microsoft warns of IIS zero-day vulnerability
    How to find and stop automated SQL injection attacks
    How to spot attacks through Apache Web server log analysis
    Symantec acquires Mi5 Networks, bolsters Web security
    How to harden Linux operating systems
    How to clear out anonymous Web proxy servers in the workplace
    Information security book excerpts and reviews
    Is it more secure to have a mainframe or a collection of servers?
    How does a Web server model differ from an application server model?

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    attack vector  (SearchSecurity.com)
    back door  (SearchSecurity.com)
    ethical worm  (SearchSecurity.com)
    Patch Tuesday  (SearchSecurity.com)
    zero-day exploit  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    • More Tips to Secure Your Network
    Focused on Channel Security?
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts