Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Microsoft Fixes a Dozen Security Flaws, Nine Critical

    By
    Matt Hines
    -
    August 8, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft released a dozen security bulletins on Aug. 8 in an effort to patch a variety of security issues affecting Windows and Office, including nine critical vulnerabilities present in popular applications such as Internet Explorer, Outlook Express and PowerPoint.

      Ten of the dozen security bulletins addressed issued by the Redmond, Wash.-based software maker include patches for its flagship Windows operating system, including the seven labeled as critical, Microsofts highest severity rating.

      For the third successive month, the company also issued patches for critical vulnerabilities in Microsoft Office.

      Among the critical Windows flaws, Microsoft issued a cumulative bulletin for its Internet Explorer Web browser, which promises to resolve several vulnerabilities that could allow outside attackers to take over a device running the software via remote code execution attacks.

      The issue addressed in Microsofts Outlook Express e-mail software also involves a flaw that could allow for machines to be compromised through remote code execution attacks.

      /zimages/2/28571.gifClick here to read more about critical flaws in Microsoft software.

      The problem, identified by Microsoft as a MHTML parsing vulnerability, could allow the machines of Outlook Express users to be taken over by attackers who could then log on with administrative user rights to manipulate data or create new accounts with full user rights.

      Microsoft said that an attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially lead to remote code execution if a user visited a related Web site or clicked a link in a specially crafted message.

      If a user were logged on with administrative user rights, an attacker could then take complete control of an affected system.

      Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, the company said.

      Other critical Windows bulletins included a fix meant to address a vulnerability in the softwares server service that could allow for remote code execution.

      That flaw involved a buffer overrun which could be used to take over a computer running an unpatched version of the program.

      Next Page: Exploiting another vulnerability.

      Exploiting Another Vulnerability

      Another vulnerability patched in the release involves Windows DNS resolution code, which could also be attacked using remote code execution.

      By exploiting the glitch, the company said an attacker could install programs or create new accounts with full user rights.

      The issue specifically involves vulnerabilities linked to a DNS Client buffer overrun and an issue with its Winsock Hostname function.

      Microsoft issued a bulletin that promises to fix a flaw in Windows management console that could be targeted for remote code execution attacks.

      A bulletin was released with a patch for a problem in Windows HTML help functions, which may leave computers running the software vulnerable to remote code execution as well.

      Using a buffer overrun in the HTML Help ActiveX control, an attacker exploiting the flaw could allow remote code execution on an affected system.

      By constructing a malicious Web page to take advantage of the issue, an outsider could potentially allow remote code execution if a user visited that page, allowing them to take control of the individuals system and escalate user privileges.

      Microsoft said that Internet Explorer on Windows Server 2003 runs by default in a restricted mode that could mitigate the vulnerability for users of the program.

      Another issue addressed several issues in Windows software kernel that could also lead to remote code execution exploits.

      Among the critical Office vulnerabilities addressed in the newest security patch collection was a pair of issues in the PowerPoint presentation software, and a flaw in Microsoft Visual Basic for Applications, both of which could leave computers open to remote code execution attacks. Office applications have been a regular target for so-called zero-day attacks.

      In the case of the PowerPoint bulletin, Microsoft addressed one issue that could be exploited when a file containing a malformed shape container is parsed by the application.

      Such a file might be included in an e-mail attachment or hosted on a malicious Web site, allowing an attacker to exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution.

      The second PowerPoint glitch relates to malformed records, which, when parsed by the program, could leave it open for exploit.

      Such a file might also be included in an e-mail attachment or hosted on a malicious Web site allowing an attacker to exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution.

      The company has already confirmed that the PowerPoint vulnerability has been used in targeted attacks that are believed to be linked to corporate espionage in the Far East.

      The vulnerability in Visual Basic for Applications exists in the manner that the program checks the document properties that a host application passes to it when opening a document and could also allow an outsider to take complete control of an affected system.

      The company did not offer a bulletin for its Excel spreadsheet program, for which a known vulnerability still exists.

      In the July patch batch, Microsoft released a mega update for the Excel spreadsheet program and warned that the flaw could let malicious hackers take “complete control of the vulnerable client workstation.”

      Among the three “important” flaws in Windows addressed by the new batch of security bulletins were glitches in Explorer and the operating systems Hyperlink Object Library, which could permit remote execution attacks, and an issue in the softwares kernel that could lead to elevation of privileges if exploited.

      John Lambert, senior group manager in Microsofts SWI (Secure Windows Initiative), which is responsible for reducing the number of vulnerabilities present in Microsofts next generation Vista operating system, told attendees of the recent Black Hat security conference that the company is making significant headway with its efforts.

      Speaking at the conference in Las Vegas on Aug. 2, Lambert said that Microsoft has learned many valuable lessons over the years in how to better secure its products, specifically as Windows has been assailed by viruses that use code vulnerabilities to wreak havoc for end users.

      Microsofts SDL (Security Development Lifecycle) and other code analysis efforts are expected to result in the most secure operating system the firm has ever released.

      “We learned a lot of things during the Windows security standoff, that doing threat modeling after the code is written is not the best way to do modeling,” Lambert said.

      “We know there will be defects that make it through [into Vista] despite our best efforts, but we wanted to embark on effort to reduce the number of liabilities to prevent future exploits.”

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Matt Hines
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×