Microsoft Plugs ‘Critical’ Office Security Leak

UPDATED: Software giant Microsoft released three security
bulletins, one of which is aimed at correcting a critical flaw in Microsoft
Publisher 2000.

The critical patch, MS06-054, cures a security risk posed by a malformed Publisher file.

If a user is logged in with administrative rights, attackers could take control of a system, deleting or changing data, according to Microsoft.

A second patch, deemed “important,” is aimed at Windows XP users. Security bulletin MS06-52 is meant to solve a denial-of-service vulnerability in the Windows Reliable Multicast Program (PGM) component of the operating system.

Although not installed by default, the PGM flaw could enable attackers to
wrest control of a system by sending a malformed message, according
to Microsoft.

The final patch is rated “moderate,” meaning Windows XP, Windows 2000
and Windows Server 2003 users should consider applying it.

Security Bulletin MS06-053 fixes a vulnerability in
the indexing service that could allow cross-site scripting.

The flaw could allow an attacker to gain access to information that later
could be used to compromise a system.

The index service lies at the core of Windows systems, indexing the
contents of IIS Web servers, as well as filesystems.

The patch replaces MS05-003, first released by Microsoft on January 11, 2005.

Microsoft also re-released two critical patches.

MS06-040, first
introduced on Aug. 8, fixes a buffer over-run vulnerability in Windows.

MS06-042 is a cumulative patch addressing 10 flaws in Internet Explorer 5.01 and Internet Explorer 6.

Some believed this month’s Office patch might address a flaw in Word 2000, which Microsoft earlier this month said it was

The zero-day flaw could allow attackers to corrupt
system memory and execute arbitrary code by opening a malicious Word
file or visiting a special Web site.

The patches could come as welcome relief to Windows users who
had become accustomed to applying half-a-dozen or more security fixes
each month.

Last month, Microsoft unveiled a dozen patches, nine deemed of “critical” importance.

News Around the Web