Microsoft has promised us an action-packed Patch Tuesday, announcing plans to release between 10 and 12 security bulletins for the month. In the meantime, before you get wrapped up in applying all those updates, take some time to consider other pressing security issues, including recent AirPort and Mac OS X threats, a hole in Skype, and a problem with McAfee security software.

Details

With Microsoft slated to release of slew of updates this week, I suspect I'll be focusing the majority of the next couple editions of IT Locksmith on the results of October's Patch Tuesday. So, during the calm before the October patch storm, I want to address some other significant threats.

Skype for Mac threat

Secunia Advisory 22185 reports that a string handling vulnerability in Skype for Mac 1.x can allow a remote system compromise. Skype is an Internet phone system with a growing user base, and many managers may not realize just how many users have installed it. This particular threat relates to the improper handling of URI arguments.

This is a critical threat for those running Skype on Macs (CVE-2006-5084). Users with affected systems should upgrade to Skype version 1.5.0.80.

McAfee threats

Secunia is also reporting that vulnerabilities have surfaced in both McAfee ePolicy Orchestrator 3.x and McAfee Protection Pilot 1.x that can lead to unauthorized local network system access. Vendor patches (Protection Pilot and ePolicy Orchestrator) are available for the flaw (CVE-2006-5156).

Microsoft threats

At least two critical Microsoft vulnerabilities are currently circulating, and there's no telling if Redmond will address them in this month's updates. (If the software giant does release patches, you can read more about them in next week's article.)

Microsoft Security Advisory 925444 discusses an ActiveX DirectAnimation Path vulnerability that can permit remote code execution. The vulnerability affects Internet Explorer 5.01 Service Pack 4 on Windows 2000 SP4, IE 6 SP1 on Windows 2000 SP4 and Windows XP SP1, IE 6 on all remaining versions of Windows XP SP2, and IE 6 on all versions of Windows Server 2003 and Windows Server 2003 SP1.

Microsoft reports that attacks exploiting this vulnerability are currently taking place. Secunia Advisory 21910 links both CVE-2006-4777 and CVE-2006-4446 to this Daxctle.ocx KeyFrame() threat and rates it extremely critical.

Microsoft Security Advisory 926043, Secunia Advisory 22159, and CVE-2006-3730 all refer to a Windows Shell Code Execution vulnerability that's also highly critical because it allows remote system access. Microsoft has received reports that malicious Web sites are actively exploiting this vulnerability.

This vulnerability affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. If Microsoft doesn't address this threat for October's Patch Tuesday, I suggest checking out the workarounds listed in the security advisory.

Note: If all these CVE designations get to be too much for you, you can easily determine which ones Microsoft has addressed by searching for the specific CVE number on TechNet. The search will also help you quickly locate any TechNet blog posts that reference the threat.

Apple threats

Just in case you have a few Macs in an otherwise all-Microsoft shop, I thought I should pass along an AirPort threat advisory from the French Security Incident Response Team (FrSIRT). Potential hackers could use the three threats—caused by stack, buffer, and integer overflow errors—to remotely or locally exploit a system.

These threats affect Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.7, and Mac OS X Server 10.4.7. Upgrades are currently available; you can find the links for each affected version in the FrSIRT advisory.

Final word

OK, OK, I know there are actually no security threats to Apple products—only Microsoft has security issues. But if you have Macs somewhere in your network, you need to check out these patches. Despite the fact that all Apple OSs are perfect, these really are critical threats. (And yes, I'm being sarcastic. I really get tired of hearing how Microsoft is all bad while Mac and UNIX boast perfect security.)

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.