Tech Shout!

On Tuesday, Microsoft Corp. released 12 patches — eight of which are deemed “critical” — as part of its regularly scheduled monthly security update. The patches were to fix security flaws in its Windows operating system, Internet Explorer browser, Windows Media Player and Office productivity software.

Microsoft Corp. released 12 patches — eight of which are deemed “critical” — as part of its regularly scheduled monthly security update.

The critical patches — so called because they deal with problems considered to pose the highest threat in Microsoft’s security warning system — all are created to avoid an attacker from taking control of another person’s computer without that user’s permission.

The critical patches are:
• MS06-021, Cumulative Security Update for Internet Explorer: Resolves several vulnerabilities in Internet Explorer that could allow remote code execution, four of which are rated “critical” for IE 6 for Windows XP SP 2 (multiple CVEs). The company recommends reading this Knowledge Base article for known issues with this patch.
• MS06-022, Vulnerability in ART Image Rendering Could Allow Remote Code Execution: This update resolves a vulnerability that could allow remote code execution when using Internet Explorer (CVE-2006-2378).
• MS06-023, Vulnerability in Microsoft JScript Could Allow Remote Code Execution: Resolves a vulnerability in JScript that could allow remote code execution when using Internet Explorer (CVE-2006-1313). Update should be installed at the same time as MS06-021 above to be effective.
• MS06-024, Vulnerability in Windows Media Player Could Allow Remote Code Execution: Deals with Windows Media Player PNG vulnerability CVE-2006-0025.
• MS06-025, Vulnerability in Routing and Remote Access Could Allow Remote Code Execution: Fixes Windows vulnerabilities dealing with RRAS memory corruption and RASMAN registry corruption (multiple CVEs).
• MS06-026, Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution: Fixes a graphics rendering vulnerability relating to the way Windows handles Windows MetaFile (WMF) graphics (CVE-2006-2376). Microsoft recommends reading this KB article for known issues relating to this patch, although the article does not address those issues at press time.
• MS06-027, Vulnerability in Microsoft Word Could Allow Remote Code Execution: Fixes a flaw related to a Word malformed object pointer vulnerability (CVE-2006-2492).
• MS06-028, Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution: Fixes a flaw in PowerPoint that could allow hackers to exploit administrator log-ins (CVE-2006-0022). Critical rating applies to PowerPoint 2000 only — rated “important” for other versions.

There are also three patches rated “important” and one “moderate.” They are:
• MS06-029, Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection: Fixes a script injection vulnerability that exists in Exchange Server running Outlook Web Access in which an attacker could exploit via a crafted e-mail message (CVE-2006-1193). Microsoft recommends reading this KB article before installing for known issues with this patch.
• MS06-030, Vulnerability in Server Message Block Could Allow Elevation of Privilege: This update resolves several vulnerabilities in Windows that require the attacker to validate logon credentials and be able to log on locally to exploit (multiple CVEs).
• MS06-032, Vulnerability in TCP/IP Could Allow Remote Code Execution: Fixes an IP source route vulnerability (CVE-2006-2379). Microsoft recommends reviewing this KB article for known issues with this patch.
• MS06-031, Vulnerability in RPC Mutual Authentication Could Allow Spoofing: This moderate-rated vulnerability fixes an issue with the RPC service that could enable an attacker to spoof trusted network resource (CVE-2006-2380).

Users can go to http://www.microsoft.com/security to download the Microsoft patches.