Microsoft has released a security advisory warning that
proof-of-concept code is now available for a flaw patched in this month’s Patch
Tuesday release of security bulletins. In addition, Secunia has listed two new
Microsoft threats that it’s rating highly critical.

Details

On June 23, Microsoft released Security
Advisory 921923, “Proof of Concept Code Published Affecting the Remote
Access Connection Manager Service.” The advisory warns users that there is
now proof-of-concept code available to exploit the Remote Access Connection
Manager Service vulnerability addressed by Microsoft
Security Bulletin MS06-025, “Vulnerability in Routing and Remote
Access Could Allow Remote Code Execution,” released as part of June’s Patch Tuesday.

If you’ve already installed the security update, this
security advisory doesn’t affect you. If you’ve yet to apply the patch,
remember that anyone running Windows 2000 is at serious risk for this threat,
especially now that proof-of-concept code is circulating.

While this threat also affects Windows XP and Windows Server
2003, the threat level is much lower. So far, the only major problem with
the patch affects dial-up users, which shouldn’t apply to most TechRepublic
readers.

Meanwhile, Secunia.com has listed two new Microsoft threats
that it’s rating highly critical. Secunia
Advisory 20748 discusses a hyperlink object library buffer flow affecting
Office macros (CVE-2006-3086).

Secunia Advisory
20686 details a vulnerability in Excel’s Repair Mode code (CVE-2006-3059). Microsoft Security
Advisory 921365, “Vulnerability in Excel Could Allow Remote Code
Execution,” offers workarounds for the latter threat. Otherwise, just
avoid opening documents and worksheets from untrusted sources.

Final word

The recent Microsoft Security Advisory reminded me that we’re
halfway through the year, which got me wondering just how Microsoft is doing
this year as compared to last. So, I decided to do a little investigating and
took a quick look at the list of the 2005 security bulletins to compare them to
this year’s numbers. The stats are surprisingly close.

June 2005 saw the release of MS05-034 as the
final release of the month. This year, we’ve seen 32 security bulletins in the
same six-month period.

What about the severity of the threats? Of the 32 security
bulletins in 2006, 19 have been critical threats, 10 were important threats,
and three were moderate threats.

For the 34 security bulletins during the same period in 2005,
18 were critical threats, 12 were important threats, and four were moderate
threats. Statistically, the numbers are amazingly similar—although whether this
has any real significance is questionable.

Two years ago, by the end of June 2004, there had been only
17 security bulletins. Whether that was due to fewer problems or less attention
paid by Microsoft security analysts is difficult to determine, so I’ll just
post the numbers and let it go at that. I will point out that there were a
total of 45 security bulletins published by the end of 2004.

So, how is this information useful? It can help us predict
how many more threats Microsoft is likely to address by the end of the year.

Microsoft released a total of 55 security bulletins in 2005,
and we’re on track to see about the same number this year. Even in a “slow”
year like 2004, there were 45 security bulletins, so I think we’ll see between
50 and 55 bulletins by the end of 2006. Based on past data, slightly more than
half of those are likely to be a critical threat.

So, while there seems to be a general feeling that there’s a
slowdown in the summer months, the numbers prove otherwise. In July 2005,
Microsoft released three critical bulletins, while August 2005 saw six security
bulletins—three critical, one important, and two moderate threats addressed by
the Microsoft security team in the heat of the summer.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.