Microsoft Fixes 14 Flaws

Three of the bulletins were tagged as "critical," one as "important," and the fifth as "moderate"--the last being Microsoft's second-from-the-bottom alert.
Both flaws can be exploited by attackers who could take complete control of a PC if they could lure users to malicious sites or get them to open e-mail attachments.

"Both of these are in the same sort of category as the IE vulnerabilities," said Murray. "Both could be used in the kind of user-interaction scenarios we've been seeing for some time.

"When you're talking about user interaction vulnerabilities, whether it’s a shell bug [MS06-015] or in MDAC [MS06-014], it's all about the same," Murray added.

The fourth and fifth bulletins unveiled Tuesday impact Outlook Express, the free e-mail client bundled with Windows ( MS06-016) and Microsoft Office's FrontPage Web design application ( MS06-017). The former was labeled "important," the latter "moderate" by Microsoft.

A large number of the vulnerabilities disclosed Tuesday must be patched even by those running Microsoft's most-current operating system, Windows XP SP2, which debuted over two years ago and has been heralded by many as much more secure.

"We are seeing more vulnerabilities for SP2," admitted Murray, "but what we're not seeing are remote vulnerabilities. All the vuls we're seeing require you to click on something or download something. What SP2 did is eliminate those remote vulnerabilities."

Qualys' Bitle seconded that.

"There's no more of what I call 'outside-in' threats," he said. "Instead, it's all 'inside-out' since SP2 was released. Firewalls and perimeter defenses can't stop users from visiting malicious sites."

Both were hopeful, Murray more so, that the upcoming Windows Vista and IE 7 would continue the trend toward locking down the operating system and making it more difficult for users to blithely surf to suspicious sites.

"Look at the vulnerabilities," urged Murray. "There are not that many that affect Windows [Server] 2003. That's because it's locking down the browser more.

"Microsoft is doing the right things to mitigate problems as time goes on. With Vista and IE 7, the OS and browser will be more locked down. Then attacks will turn to e-mail clients.

"And then we'll have to lock them down more."

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).

Editor's Choice
Mary E. Shacklett, President of Transworld Data
James M. Connolly, Contributing Editor and Writer