By Robert McMillan
IDG News Service
Microsoft has issued six security updates, fixing critical bugs in
Windows components ranging from Internet Explorer to the Microsoft
NetWare client service.
The updates were released Tuesday morning local time as part of
Microsoft's monthly cycle of security patches. Five of this month's
updates are rated critical by Microsoft, meaning that these bugs could
be exploited by attackers to run unauthorized software on a system
without user action. Microsoft rates the sixth update, which fixes the
NetWare flaw, as "important."
The updates also fix Microsoft's Extensible Markup Language (XML)
parser, the Windows Workstation service, the Microsoft Agent and the
Macromedia Flash Player that is distributed with the operating system.
According to Symantec, the most critical of the updates is the
Workstation service patch. "This issue can be exploited by remote
anonymous attackers on Windows 2000, Windows XP and possibly Windows
Server 2003 systems," Symantec said in a statement. "A wide variety of
component technologies and services are impacted by this issue which has
potential for a worm-style attack."
The Internet Explorer update is important, because unlike many of the
other services being patched this month, Internet Explorer can easily be
targeted by attack code placed on a Web site, said Roger Thompson,
co-founder and CTO with Exploit Prevention Labs. "I think IE is always
the most critical," he said via instant message.
Because hackers have also posted attack code that exploits a hole in the
XML parser, the XML update is also noteworthy, he said.
Symantec also flagged the XML update. "All supported versions of
Internet Explorer (including the new Internet Explorer 7.0) make use of
this functionality and are susceptible to possible attack," the company
said. "This is a publicly known vulnerability that is currently being
exploited in the wild."
November's update is the last for users of Microsoft's Software Update
Services (SUS), which will no longer be supported as of Dec. 6.
Microsoft is advising SUS users to upgrade to Windows Server Update
Services 2.0 before the next security update, scheduled for Dec. 12.
All contents copyright 1995-2006 Network World, Inc.
Subscribe to InfoSec News