Microsoft Patch Tuesday Brings Slew Of Fixes

As part of its "Patch Tuesday" cycle for issuing information about vulnerabilities in its products on the second Tuesday of each month, Microsoft Tuesday released 10 bulletins, covering 34 vulnerabilities. Six of those vulnerabilities rate as "critical," and affect Microsoft Windows, Data Analyzer ActiveX, Internet Explorer 8 Developer Tools and Internet Explorer.

"All the critical issues are client-side and can result in remote code execution in the context of the currently logged-in user if an attacker can trick an unsuspecting victim into performing some action," according to Symantec's Robert Keith, writing on the company's blog.

Beyond the critical issues, he said, "there are also a record number of issues affecting Excel, with 14 vulnerabilities being discovered in that program, 13 of which are remote code execution."

Microsoft released patches for all of the announced vulnerabilities.

Overall, six of the 34 vulnerabilities affect Internet Explorer. According to Microsoft's security bulletin, "the most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer." PCs running IE6, IE7 and IE8 largely have a "critical" vulnerability. Microsoft said Windows servers running IE6, IE7 and IE8 faced a "moderate" vulnerability.

Meanwhile, nearly every version of Windows, from Windows 7 to Windows Server 2003 S2, has "critical" vulnerabilities which "could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a website or any application that delivers Web content." A successful attack could give an attacker local-user rights. Microsoft's fix "addresses the vulnerabilities by modifying the way that Windows parses media files."

The ActiveX vulnerability could allow an attacker to execute remote code on a user's machine, provided the user "views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer," according to Microsoft's security bulletin.

Microsoft said its ActiveX fix also includes kill bits for new four third-party ActiveX controls -- from Avaya, CA, Danske Bank and Kodak -- at the request of those companies. Kill bits are an IE security feature that prevent ActiveX controls from being loaded by IE's HTML-rendering engine. According to Microsoft, "setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless." Typically, companies request kill bits when they discover vulnerabilities in their ActiveX controls.