AOH :: ISN-3271.HTM

Microsoft releases six security updates

Microsoft releases six security updates
Microsoft releases six security updates 

By Robert McMillan
IDG News Service

Microsoft has issued six security updates, fixing critical bugs in 
Windows components ranging from Internet Explorer to the Microsoft 
NetWare client service.

The updates were released Tuesday morning local time as part of 
Microsoft's monthly cycle of security patches. Five of this month's 
updates are rated critical by Microsoft, meaning that these bugs could 
be exploited by attackers to run unauthorized software on a system 
without user action. Microsoft rates the sixth update, which fixes the 
NetWare flaw, as "important."

The updates also fix Microsoft's Extensible Markup Language (XML) 
parser, the Windows Workstation service, the Microsoft Agent and the 
Macromedia Flash Player that is distributed with the operating system.

According to Symantec, the most critical of the updates is the 
Workstation service patch. "This issue can be exploited by remote 
anonymous attackers on Windows 2000, Windows XP and possibly Windows 
Server 2003 systems," Symantec said in a statement. "A wide variety of 
component technologies and services are impacted by this issue which has 
potential for a worm-style attack."

The Internet Explorer update is important, because unlike many of the 
other services being patched this month, Internet Explorer can easily be 
targeted by attack code placed on a Web site, said Roger Thompson, 
co-founder and CTO with Exploit Prevention Labs. "I think IE is always 
the most critical," he said via instant message.

Because hackers have also posted attack code that exploits a hole in the 
XML parser, the XML update is also noteworthy, he said.

Symantec also flagged the XML update. "All supported versions of 
Internet Explorer (including the new Internet Explorer 7.0) make use of 
this functionality and are susceptible to possible attack," the company 
said. "This is a publicly known vulnerability that is currently being 
exploited in the wild."

November's update is the last for users of Microsoft's Software Update 
Services (SUS), which will no longer be supported as of Dec. 6. 
Microsoft is advising SUS users to upgrade to Windows Server Update 
Services 2.0 before the next security update, scheduled for Dec. 12.

All contents copyright 1995-2006 Network World, Inc.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods