Microsoft Fixes Three 'Critical' Security Holes

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft released fixes for three "critical" security holes in its June Patch Tuesday drop, but that was only part of the story.

While those three patches were the only ones that garnered Microsoft's (NASDAQ: MSFT) highest rating on its four-tier severity scale, that doesn't mean that IT administrators can relax.

"As part of our regular monthly security bulletin release cycle, we released 10 bulletins (patches) to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework," Jerry Bryant, group manager for response communications, said in a post to the Microsoft Security Response Center blog.

The other fixes are less severe with ratings that range from "important" -- Microsoft's second highest rating -- to "moderate," which is the third highest.

Like the critical fixes, those rated important and moderate are also provided to administrators. However, their ratings reflect circumstances that make it harder for a hacker to take over users' PCs. Often for an attack to succeed, it requires extra actions by the user -- such as requiring a user to download a file from an unknown source.

Since most users have already been lectured that they should never download or open files from unknown sources, that route to a system takeover is less likely to work than a simple drive-by download that a user could encounter by visiting a rogue Website by accident.

Still, installing all of the patches can be a daunting task.

"It is important to keep in mind the perspective of the attacker when prioritizing the remediation efforts -- especially with so many vulnerabilities," Josh Abraham, a security researcher at Rapid7, said in an e-mail to InternetNews.com.

A second security researcher agrees.

"The impact will be felt enterprise-wide, as the bulletins cover a large portion of Microsoft's range of operating systems, infrastructure products and Office products, so it is strongly suggested that IT administrators investigate and prioritize this patch load as soon as possible," Don Leatham, senior director of solutions and strategy at security firm Lumension, said in an e-mail.

As usual, Microsoft sent out an e-mail last Thursday giving IT administrators and other end-user support professionals a warning notice that the patches were coming.

The most significant of the three critical patches contains fixes for five privately disclosed security flaws in all versions of Internet Explorer (IE), including IE8 running on Windows clients, including Windows 7. A sixth security vulnerability, also in IE, was publicly disclosed in early February.

Attacks on IE seem to continue unabated, so when Microsoft issues patches for the popular browser, admins are advised to implement them without delay, according to Jason Miller, data and security team manager at Shavlik Technologies.

"Internet Explorer is one of the most targeted applications for attackers, so Shavlik recommends that administrations address this bulletin immediately," Miller said in an e-mail.

A second critical patch contains fixes for two dangerous security vulnerabilities in the way Windows decompresses media files. The update is rated critical for most versions of Windows, ranging from Windows 2000 Service Pack 4 (SP4) to Windows XP with SP2 or SP3, as well as Windows Server 2008 and even Windows 7.

The third critical patch provides a so-called "cumulative update" for ActiveX control "kill bits." Kill bits are used to disable certain ActiveX controls that have been identified as containing exploitable security holes. The cumulative update denominator means that it contains all the previously distributed kill bits, as well as the new ones, so admins who have been behind in installing kill bits can get caught up in a single installation.

The cumulative update adds kill bits for two Microsoft errant ActiveX controls, as well as for three third-party controls that are also at risk, according to the company. It affects all client versions of Windows, but not server versions.

All of the patches and the alerts that describe them are located here.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.