July brings fixes for 18 vulnerabilities bundled in 7 patches. July also makes the official end of security support for all Windows 9x products. Let us pause and take a moment of silence for our fallen friends of old…

Now back to our regularly scheduled patch announcement:

• MS06-033 .NET 2.0 Application Folder Information Disclosure Vulnerability - “could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders explicitly by name.” Yawn.
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Lead To Remote Code Execution - - The only people who can exploit this are ones that already can upload ASP files to and IIS server. This basically makes it a privilege escalation attack, even though it uses a buffer overflow to accomplish it. Not to serious, and if you have untrusted people uploading ASP files to your web server, you have bigger problems.
• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution - This is the grand daddy of the patches, and Microsoft should create a ubber critical category for patches like this. It’s wormable, and makes a good cases for personal firewalls. Get this one out fast.
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution - This one’s pretty critical, too. But the attacker has to be on the subnet as the victim (same switch?).
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution - Open a malicious Excel doc and you are owned. In Office 2000, just visiting a website could do it. Already exploits in the wild.
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-037, except it applies to any office doc and there’s no known exploits yet.
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-038.

Get ‘um done.

Security Bulletin Summary [Microsoft]

Microsoft Patches 18 Security Flaws in Windows, Office [Security Fix]

Post a Comment...