Home > Security News > Microsoft patches seven July security holes, five critical
Security News:
EMAIL THIS

Microsoft patches seven July security holes, five critical

By Bill Brenner, Senior News Writer
11 Jul 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Microsoft released seven security updates Tuesday -- five of them critical -- to fix vulnerabilities in Office, Excel, Windows and Internet Information Services (IIS).

In its July security bulletins, the software giant warned that attackers could exploit the most serious flaws to take complete control of affected machines and install programs; view, change or delete data; or create new accounts with full user rights.

More on Microsoft's July 2006 security bulletins

In a special partnership with Microsoft, Christopher Budd, security program manager with the Microsoft Security Response Center (MSRC), offers SearchSecurity.com readers his exclusive detailed analysis of the software giant's monthly security bulletins.
Inside MSRC: Debunking Excel exploits
MS06-037 is a critical bulletin that Microsoft recommends IT administrators make the month's top patching priority. It patches eight different flaws in Microsoft Excel, including a zero-day flaw that attackers have already exploited.

The other critical bulletins are:

  • MS06-039, which addresses a remote code execution flaw in Microsoft Office. Attackers could exploit the flaw by constructing a specially crafted .png file, which could then permit them to launch malicious code.

  • MS06-038, which addresses three Microsoft Office flaws that appear when malformed strings and properties are parsed by any of the affected Office applications. "Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious Web site," Microsoft said. "An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution."

  • MS06-036, which addresses a buffer overrun flaw in Windows' Dynamic Host Configuration Protocol (DHCP) client service. Attackers could exploit the flaw to take complete control of the affected system, Microsoft said.

  • MS06-035, which addresses two Windows flaws: a mailslot heap overflow vulnerability in a server driver that could allow an attacker to take complete control of the affected system; and a server message block information disclosure flaw in the server service that could allow an attacker to view fragments of memory used to store server message block traffic during transport.

    Microsoft also released two security bulletins it rated as important. They are:

  • MS06-034, which addresses a remote code execution flaw in Internet Information Services (IIS). "An attacker could exploit the vulnerability by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

  • MS06-033, which addresses an information disclosure flaw attackers could exploit to bypass ASP.Net security and gain unauthorized access to objects in the application folders explicitly by name.

    As it does every month, Microsoft also released an updated version of its Windows Malicious Software Removal Tool and will host a webcast Wednesday to address any questions IT administrators have regarding this month's updates.

    Tags: Security Patch ManagementSecuring Productivity ApplicationsWeb Server Threats and CountermeasuresWeb Application and Web 2.0 ThreatsVIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    Security Patch Management
    Squad: Tokenization, Phishing and the Feds
    Should management processes change based on a patch release schedule?
    Should Windows Mobile updates come from Microsoft?
    Adobe updates ColdFusion, JRun, Flex
    Trusteer CEO criticizes Adobe, touts better patch deployments
    Patch management study shows IT taking significant risks
    Vulnerability mitigation study shows need for faster patching
    Microsoft to issue security report card, new tool at Black Hat
    How to manage patches for Adobe
    When is it suitable to remove Java updates?

    Securing Productivity Applications
    How to detect software tampering
    Adobe fixes 29 flaws in Acrobat, Reader
    Adobe warns of critical update for Reader, Acrobat 9.1.3
    Why should we place data files on a separate partition than the OS?
    Adobe updates ColdFusion, JRun, Flex
    Serious Adobe Flash flaw being exploited
    Adobe acknowledges serious Flash zero-day vulnerability
    Adobe issues security advisory for Flash zero-day flaw
    When to use the service features of the Metasploit hacking tool
    How to manage patches for Adobe

    Web Server Threats and Countermeasures
    VeriSign extends DDoS attack protection service
    Microsoft issues IIS FTP advisory, exploit code circulates
    Panda reports fast-spreading rogueware antivirus fraud rakes in millions
    Oracle issues quarterly patches, fixes database flaws
    Latest DDoS attacks extremely unsophisticated, experts say
    Stolen FTP credentials likely in massive website attacks
    Microsoft warns of IIS zero-day vulnerability
    How to find and stop automated SQL injection attacks
    How to spot attacks through Apache Web server log analysis
    Symantec acquires Mi5 Networks, bolsters Web security

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    attack vector  (SearchSecurity.com)
    back door  (SearchSecurity.com)
    ethical worm  (SearchSecurity.com)
    Patch Tuesday  (SearchSecurity.com)
    zero-day exploit  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    • More Tips to Secure Your Network
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts