Microsoft released six security updates Tuesday -- one fewer than originally planned -- to address a variety of flaws in Windows, Internet Explorer, Word and Outlook. Four of the updates address critical vulnerabilities attackers could exploit to run malicious code on targeted machines.
The biggest fix was for four different security holes in Internet Explorer, and at least nine flaws across Microsoft's product line were addressed this month. In response to the security updates, Cupertino, Calif.-based antivirus giant Symantec Corp. raised its ThreatCon to Level 2. "The DeepSight Threat Analyst Team recommends administrators apply these updates as soon as possible," Symantec said in an email to customers of its DeepSight threat management service.
McAfee noted that the majority of flaws addressed this month could be exploited through malicious Web sites.
"Today's Microsoft patches emphasize the need for proactive browser protection and the risk of surfing the Web unprotected," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in an email. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply clicks a malicious Web link, a favorite attack method among cybercriminals. Users need to be more careful than ever when surfing the Internet."
Critical security bulletins summarized
MS07-056 fixes an incorrectly handled malformed NNTP response vulnerability in all supported versions of Microsoft Outlook Express and Microsoft Windows Mail. Attackers could exploit this by constructing a specially crafted Web page. "This security update removes the vulnerability by changing the newsgroup client to handle malformed responses correctly," Microsoft said.
MS07-057 fixes four different flaws, the most serious of which could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Microsoft rated the security update as moderate for Internet Explorer 6 and 7 on Windows Server 2003 and critical for all other supported releases of Internet Explorer. "The security update addresses three vulnerabilities by not allowing the browser window content to persist after navigation has occurred," Microsoft said. "The update addresses the fourth vulnerability by modifying the script error exception handling so that no attempt is made to access the freed memory."
MS07-060 fixes a Microsoft Word flaw attackers could exploit to run malicious code if a user opens a specially crafted Word file with a malformed string. The update is for supported editions of Microsoft Office 2000, Microsoft Office XP and Microsoft Office 2004 for Mac. "This security update addresses the vulnerability by modifying the way that Microsoft Word handles specially crafted Word files," Microsoft said.
Important security bulletins summarized
MS07-058 fixes a denial-of-service flaw in the remote procedure call (RPC) facility due to a glitch in how the program communicates with the NTLM security provider when performing authentication of RPC requests. This affects all supported editions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. Microsoft said it addressed the problem by making it so the program validates the RPC request.
MS07-059 fixes a flaw in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 attackers could exploit to run a malicious script to gain elevated privileges within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation, Microsoft warned. The problem affects Microsoft SharePoint Services 3.0 in supported editions of Microsoft Windows Server 2003 and supported editions of Microsoft Office SharePoint Server 2007. "The security update addresses the vulnerability by modifying the way that Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 validate URL-encoded requests," Microsoft said.
In its Patch Tuesday advance notification Thursday, Microsoft had originally planned for seven security updates -- four critical and three important. It is unclear why one of the important updates was pulled back.