Microsoft Patches 18 Bugs; Two-Month Total Swells To 39

Microsoft on Tuesday rolled out 7 security updates for Windows and Office that fixed 18 bugs, a total that almost matched last month's 2006 record of 21 vulnerabilities.

Among them, said one security analyst, was the first flaw since August 2005 that could end up being used by a massive, network-attacking worm along the lines of Zotob, or even 2003's MSBlast.

MS06-035, one of the two critical bulletins for Windows, was immediately rated as a "10" by security vendor Symantec Tuesday, and named as the month's most dangerous vulnerability by Mike Murray, director of research at vulnerability management vendor nCircle.

"This is old-school," said Murray. "It's the real deal, an all-around vulnerability. The service runs by default and doesn't require authentication to attack."

According to Microsoft's explanation, the flaw is in Windows "Mailslot," a temporary data storage area, and could be used to hijack a PC simply by sending a malicious network packet over TCP port 445."We won't know how easy it is to write an exploit for this vulnerability until we have a chance to dig into how the vulnerability works, but this is the most serious [of the lot] by far," Murray continued.

Users of Windows 2000 are most at risk, as are users of Windows XP SP1 and Windows Server 2003; Windows XP SP2 and Windows Server 2003 SP1, however, "do not have services listening on Mailslots in default configurations," Microsoft wrote in the security bulletin, and so are conceivably safer. (Microsoft, however, still tagged both XP SP2 and Server 2003 SP1 with the "critical" label for the flaw.)

Murray recommended that those who couldn't immediately patch their systems block ports 445 and 139 to prevent an exploit.

Compared to MS06-035, the other half-dozen updates were small potatoes, Murray said. "We knew the Office fixes were coming, and IIS [Internet Information Services] is pretty well mitigated."

While 4 of Tuesday's 7 bulletins affect various editions of the Windows operating system and 3 involve Office, the bulk of the acknowledged vulnerabilities -- and 12 of the 13 rated as "critical" -- are in Office and its applications. MS06-037, for example, patched a total of 8 different bugs in Microsoft Excel, the company's popular spreadsheet application; MS06-038 fixed every Office application in the 2000, XP, and 2003 editions (and even the two most-recent versions of Mac Office); and MS06-039 updated Office XP, Office 2003, Project 2002, OneNote 2003, and other applications.

The Excel fixes were anticipated; several zero-day vulnerabilities in the spreadsheet were disclosed in recent weeks, and at least one targeted attack was reported.

Although last week some analysts suggested that Microsoft's June-July release of 19 bulletins (with 39 total vulnerabilities) will be seen as the high-water mark for the year, nCircle's Murray wouldn't agree.

"I've looked for a pattern for years," he said. "It's like trying to read tea leaves. There is no pattern."

But he did agree that the two-month record of nearly 40 fixed bugs meant something."The fact that we've just seen the biggest two months in row is due more to Microsoft being open and accountable about security than about how severe the bugs are. In 2001 or even 2002, some of the issues raised in bulletins today probably wouldn't even have warranted a mention by Microsoft.

"Now they're writing bulletins on everything, and trying to be as transparent as possible."

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).