RealTime IT News

Microsoft Patches Five 'Critical' Flaws

Microsoft Windows and Office have the spotlight today, as the company released seven patches, five deemed critical, as part of its patch Tuesday.

In response to at least 10 vulnerabilities, the seven patches fixed security holes in consumer and enterprise software.

At the top of the critical list is security bulletin MS06-035, which addresses a vulnerability in Windows Server 2003, as well as Windows XP and Windows 2000. A security flaw in the Windows Server Service could allow remote code execution.

Another critical security patch, MS06-036, hopes to keep Windows computers online. A hole in the DHCP Client Service of both servers and Windows XP and Windows 2000 machines could prevent systems from connecting to the Internet.

Bulletin MS06-037 announces a patch that fixes a vulnerability permitting attackers to send malformed Excel files that later could be executed, taking control of a system, according to Jonathan Bitle, product manager of Qualys, a managed security company.

Two of the critical patches affect Office users.

For those running Office 2000, Service Pack 3, Microsoft released MS06-038, resolving two vulnerabilities, the most serious permitting remote code execution.

The second Office hole affects Project 2000 users. The patch, MS06-038 resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.

Microsoft also released two patches marked "important."

In MS06-033, a vulnerability in ASP.NET could allow an attacker to gain access to information, such as filenames, in the Applications folder.

The flaw could not allow intruders to execute remote code or raise user rights, according to Microsoft.

The final Tuesday patch is MS06-034, which could allow attackers to wrest control of a Windows IIS server by uploading malformed .ASP Web pages.

Intruders would need to have valid logon information for the vulnerability to work, according to today's security notice.

Today's batch of security bulletins follows 12 security notices the company released last month.

That group of patches included fixes for Windows and Microsoft applications, including Windows Media Player, Internet Explorer and Microsoft Outlook.