In one of the largest security updates since moving to a monthly patch release cycle, Microsoft yesterday issued 12 bulletins detailing fixes for 21 separate vulnerabilities in a wide range of products.
Eight of the bulletins and 12 of the vulnerabilities were rated critical by the company. Three bulletins detailed fixes for important flaws, while one described a flaw of moderate severity. The vulnerabilities disclosed Tuesday affect several Microsoft products, including IE (Internet Explorer), Windows Media Player, Microsoft Outlook and PowerPoint.
The update is so large because hackers are exploiting client side weaknesses instead of automated services that run in an operating system. That type of attack relies on PC users' tendency to open email attachments and other files from unknown senders.
"It's a who's who of what applications are installed on an end-user PC, from Internet Explorer to PowerPoint to Word to Media Player," said Jonathan Bitle, product manager with Qualys Inc.
The risk is much greater than a virus sending email to all the names in a user's address book. Instead, 19 of the patches correct problems that allow remote code executions, the programmers' term for a hacker's program that can gain full control over a user's PC.
With such control, a hacker could steal or corrupt data, or even use the host computer to launch additional attacks on other networks.
The sole consolation is that hackers cannot exploit most of those weaknesses unless a user opens an infected file, such as a PowerPoint slideshow, Word document or Media Player picture, said Amol Sarwate, manager of the vulnerability research lab at Qualys.
Still, system administrators must install all 21 patches, he warned. "You can't rely on end users not going to a malicious website or not opening an email attachment."
These client-side vulnerabilities contain a host of lesser threats, said Oliver Friedrichs, director of Symantec Security Response.
A malicious website can easily install crimeware, spyware or adware on a visitor's PC.
Tuesday's announcement is "certainly one that people need to sit up and take notice of", said Michael Sutton, director of VeriSign's iDefense Labs. He noted that most of the critical flaws disclosed yesterday are on the client side, highlighting a continuing trend away from server-side security issues.
"Client-side vulnerabilities have become one of the most prominent methods by which computers become infected today," Oliver Friedrichs, director of Symantec's security response group, said in a statement. "Today's release continues that trend" and highlights the danger users face simply by visiting certain websites, he said.
Internet Explorer flaws
One of the bulletins rated as critical by Microsoft described a cumulative upgrade for Internet Explorer that fixed eight newly discovered flaws in the company's web browser. The impact of the flaws included remote code execution, information disclosure and user spoofing, according to Microsoft.
Another bulletin offers a fix for a critical vulnerability in how Windows handles the ART image format used by AOL's client software. An attacker could exploit the flaw by creating a specially crafted ART image that would allow for remote-code execution on a victim's computer.
Media Player flaws
Another critical remote-code execution vulnerability disclosed yesterday involves Microsoft Windows Media Player technology. The buffer-overflow flaw exists in the way Media Player handles the PNG (Portable Network Graphics) image format associated with Media Player and could allow an attacker to take complete control of an affected system, the company warned.
In addition, security administrators should pay particular attention to vulnerabilities detailed in bulletin MS06-25 and MS06-29, according to an advisory from McAfee Inc.
The flaws described in MS06-25 affect the Windows Routing and Remote Access Service, while those described in MS06-29 deal with a script-injection vulnerability in Exchange Server.
"These vulnerabilities are worm candidates and could result in a mass-mailing worm," McAfee said.
Microsoft announced fixes for several other flaws in products such as PowerPoint and Word.
In an emailed statement, Monty Ijzerman, senior manager of the global threat group at McAfee Avert Labs, said the number of critical flaws patched by Microsoft in the first half of 2006 is 70 percent higher than during the same period last year.
Many of these vulnerabilities can execute without a user even opening the infected file, so Symantec recommended that IT administrators should implement their top security practices, back up sensitive data and remind users to avoid opening unexpected email attachments or following web links from unknown sources.
Likewise, consumers should run Windows Update and install all the latest security updates, and use security software, Symantec said.