December brings seven Microsoft security bulletins
Microsoft has announced seven bulletins in its monthly security update affecting Windows, IE, Outlook Express and Visual Studio.
This is one more than it projected last week, having added a fix for a buffer overflow issue in a Windows Media file format. Last Thursday, Microsoft highlighted the problem as it had seen exploit code publicly available and has turned round a patch sharpish, which it rates as Critical.
The remaining patches follow Microsoft’s predicted output. A Critical cumulative patch for Internet Explorer addresses four issues, the most severe of which would allow a successful attacker to remotely run code.
A further Critical patch addresses a problem in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005. An attacker could build a web page designed to exploit the issue when visited, potentially allowing code to be run remotely on the target system.
There also remain four patches that Microsoft considers Important. One affects Windows SNMP Service, again with the potential of an attacker being able to run code remotely. Despite Microsoft’s Important rating, Symantec considers this a nine out of 10 on its risk rating because of the commonplace use of SNMP within corporate networks. However, a properly configured SNMP service should only be accessible by trusted networks, i.e. not the Internet.
The second Important bulletin addresses a flaw in the way Windows handles file manifests. A successful attack would mean the attacker could escalate privileges so that they would have complete control of the system. They would however, need to be able to log on locally and need valid log on credentials. It affects Windows XP SP2 and Windows Server 2003.
The Outlook Express patch addresses an issue with Address Book. An attacker could send a Windows Address Book file to a user of an affected system and take complete control of the system, including running code remotely.
The final patch fixes a flaw in the Remote Installation Service within Windows, which could be exploited to run code remotely. It affects Windows 2000 SP4, however the service is not part of the default installation.
Windows Vista is not affected by these issues.
The bulletins do not include any fixes for Word, which has been the subject of a number of new vulnerabilities over the past week.
The bulletins are available via Automatic Update, but more information and manual downloads are available from the Microsoft website.