Microsoft released three security bulletins for September's Patch Tuesday, but only one is critical. The other two bulletins patch more minor threats. However, Redmond has yet to release a patch for the known Word 2000 vulnerability, which attackers are already exploiting.
Well, Microsoft is taking it easy on us at the end of summer, releasing only three security updates for this month. Even the critical threat should have relatively minor impact on many businesses because it mainly affects Microsoft Publisher. However, readers should note that other Microsoft Office applications use some of the affected files, which can cause some minor problems.
Microsoft Security Bulletin MS06-054, "Vulnerability in Microsoft Publisher Could Allow Remote Code Execution," is only a critical threat for users of Office Publisher 2000 Service Pack 3. While this threat also affects Office Publisher 2002 SP3, Office Publisher 2003 SP1, and Office Publisher SP2, it is only an important threat for these versions.
This is a newly reported threat, and there have been no reports of exploits in the wild (CVE-2006-0001). The only workaround is to refrain from opening or saving Publisher files obtained from untrusted sources.
Note: An update to MS06-054 indicates that installing the update will prevent users from accessing Publisher 2.0 files. For more details, see Microsoft Knowledge Base article 924685.
In addition, keep in mind that even though the patch will block attacks exploiting this vector, opening a malformed Publisher file (such as one designed to exploit the vulnerability) after installing the patch can still cause a system crash.
If your organization doesn't use Publisher, it isn't important that you apply the update for security reasons. But if you have Publisher installed and don't install the update, you can expect to get periodic reminders about updating the affected files.
Microsoft Security Bulletin MS06-053, "Vulnerability in Indexing Service Could Allow Cross-Site Scripting," addresses a moderate to low threat caused by a query validation error (CVE-2006-0032). This is a moderate threat for Windows 2000 SP4, Windows XP SP1, and Windows SP2, but it's only a low threat for Windows Server 2003 and Windows Server 2003 SP1.
This is a newly discovered vulnerability, and there have been no reports of exploits in the wild. This bulletin replaces Microsoft Security Bulletin MS05-003 for Windows XP SP1 and Windows Server 2003.
Because this threat only applies to Internet Information Services (IIS), there should be no impact for many users; Windows XP and Windows Server 2003 don't install or enable IIS by default. Read the security bulletin to learn about available workarounds; the most useful one is to simply remove or disable the Indexing Service if it isn't necessary.
Microsoft Security Bulletin MS06-052, "Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution," is an important threat that affects Windows XP SP1 and Windows XP SP2 only. This is a privately reported vulnerability, and there have been no reports of active exploits (CVE-2006-3442).
The Pragmatic General Multicast protocol is only present on systems with Microsoft Message Queuing version 3.0 installed, which isn't part of the default installation. Using firewall best practices should block attacks trying to exploit this vulnerability, but Microsoft reports no known workarounds.
Updates to previously released security bulletins
- Microsoft Security Bulletin MS06-040: Originally released in August, version 2.0 addresses patch problems with Windows Server 2003 and Windows XP Professional x64, as described in Knowledge Base article 921883.
- Microsoft Security Bulletin MS06-042: Also released in August, this Internet Explorer cumulative update has now reached version 3.0, a necessary step to fix a number of problems with the patches.
Although MS06-054 shouldn't concern you unless you use Microsoft Publisher, you should still watch for developments—if no problems crop up with the update, I would go ahead and apply it if you have Publisher installed. If you don't have Publisher installed, then you can—and probably should—ignore this bulletin entirely.
A bigger concern is the extremely critical Microsoft Word vulnerability, which attackers are currently exploiting. However, Microsoft did not address this threat with this month's security bulletin releases.
Also watch for …
- I've seen early reports of a new KeyFrame() Internet Explorer threat, which Secunia rates as extremely critical. Designated CVE-2006-4777, this only affects IE 6 and relates to ActiveX vulnerabilities.
- But don't turn to Firefox just yet: Secunia Security Advisory SA21906 details some highly critical threats to Firefox versions 0.x and 1.x. Upgrading to Firefox version 184.108.40.206 should fix the multiple threats.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.