For June’s Patch Tuesday, Microsoft has released a whopping
12 security bulletins, eight of which it has rated critical. The remaining four
bulletins address important to moderate threats.

Details

For most people, the big news this past week was Bill Gates’
announcement of his plans to gradually leave Microsoft in order to
concentrate more on his charitable foundation. However, the software giant’s
Patch Tuesday overshadowed this momentous news—at least for those of us in the
security world, who spent our time updating Microsoft programs.

For June’s Patch Tuesday, Microsoft released 12 security
bulletins, patching
21 holes in the process. Before we delve into these bulletins, remember
that updates are always possible, so be sure to check the specific bulletins
for detailed upgrade and workaround information. Let’s take a look, in order of
risk level.

Critical threats

MS06-021

Microsoft
Security Bulletin MS06-021 is a cumulative update for Internet Explorer. As
such, this bulletin covers a vast array of threats to IE 5.0 and IE 6.0,
ranging from low to critical risks. These threats include spoofing, remote code
execution, and information disclosure.

For almost all of
the vulnerabilities, there have been no reports of
exploits of these privately disclosed threats. However, active exploits
of the CSS Cross-Domain Disclosure
Vulnerability (CVE-2005-4089)
are currently circulating.

MS06-022

Microsoft
Security Bulletin MS06-022, “Vulnerability in ART Image Rendering
Could Allow Remote Code Execution,” addresses CVE-2006-2378.
Install this update after you’ve
installed the MS06-021 patch.

This is a critical threat to Windows 98, Windows SE, Windows
ME, Windows XP Service Pack 1, Windows XP SP2, Windows Server 2003, and Windows
Server 2003 SP1. It doesn’t affect Windows 2000 without the Windows 2000 AOL
Image Support Update Installed, but it’s also critical with this installed
update.

MS06-023

Microsoft
Security Bulletin MS06-023, “Vulnerability in Microsoft JScript Could
Allow Remote Code Execution,” also addresses critical IE threats. This is
a newly reported vulnerability, and there are no reports of active exploits.
Microsoft recommends installing this patch at the same time as MS06-021.

Designated CVE-2006-1313,
the JScript flaw is a critical threat for Windows 98, Windows SE, Windows ME,
Windows 2000, Windows XP SP1, and Windows SP2 systems. It is only a moderate
threat to Windows Server 2003 and Windows Server 2003 SP1.

MS06-024

Microsoft
Security Bulletin MS06-024, “Vulnerability in Windows Media Player
Could Allow Remote Code Execution,” affects various versions of Windows Media
Player, including those installed on Windows XP (including Windows XP
Professional x64 Edition) and Windows Server 2003 (including Windows Server
2003 x64 Edition). It also affects Media Player 9 on Windows 98, Windows SE,
and Windows ME.

The vulnerability designation is CVE-2006-0025.
According to Microsoft, it has received no reports of active exploits.

MS06-025

Microsoft
Security Bulletin MS06-025, “Vulnerability in Routing and Remote
Access Could Allow Remote Code Execution,” addresses two separate
vulnerabilities: CVE-2006-2370
and CVE-2006-2371.
According to Microsoft, there are no reports of active exploits for either
vulnerability, and no proof-of-concept code is circulating.

This is a critical threat only for Windows 2000. It is an important threat for Windows XP SP1,
Windows XP SP2, Windows Server 2003, and Window Server 2003 SP1.

MS06-026

Microsoft
Security Bulletin MS06-026, “Vulnerability in Graphics Rendering
Engine Could Allow Remote Code Execution,” addresses CVE-2006-2376.
This vulnerability only affects Windows 98, Windows SE, and Windows ME, and
there are no reports of active exploits.

MS06-027

Microsoft
Security Bulletin MS06-027, “Vulnerability in Microsoft Word Could
Allow Remote Code Execution,” addresses CVE-2006-2492.
This update affects Microsoft Word, Word Viewer, and Microsoft Works Suite
beginning with the 2000 versions; it doesn’t affect Word v.X for Mac or Word
2004 for Mac.

This is a critical threat only for Word 2000; it’s an
important threat for all other affected versions. This security bulletin replaces
MS06-012
for Word 2000 and Word 2002, and it replaces MS05-023
for Word Viewer 2003. There have been reports of active exploits for this
vulnerability, so don’t hesitate to apply the patch.

MS06-028

Microsoft
Security Bulletin MS06-028,”Vulnerability in Microsoft PowerPoint Could
Allow Remote Code Execution,” addresses CVE-2006-0022.
No proof-of-concept code is circulating, and this is not an active attack
vector.

This is a critical threat only for PowerPoint 2000. It is an
important threat for PowerPoint 2002, PowerPoint 2003, PowerPoint 2004 for Mac,
and PowerPoint v.X for Mac.

Less critical threats

Let’s take a look at the three security bulletins for June
that Microsoft has rated important or moderate:

Final word

While no security vulnerability is good news, most of these security
bulletins address relatively minor threats, and Microsoft released them before
they became public knowledge. All you need to do is apply the necessary updates
to your systems.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.