Microsoft Pumps Out A Dozen Patches For 21 Flaws

Microsoft on Tuesday unveiled a dozen security updates, a massive set that fixed 21 separate vulnerabilities, the majority of which the company tagged with its most serious threat rating, critical.

The 12 bulletins were the most released in one day since February 2005, and tied for second as the all-time Microsoft patch record.

Among the updates were 9 that affected various versions of Windows, 2 which impacted applications in Microsoft's Office suite, and 1 involving the Exchange e-mail server software. Nineteen of the vulnerabilities could result in remote code being executed by an attacker, a trait that's a hallmark of the most dangerous flaws.

Still, security analysts were surprisingly calm about the patch storm.

"With the number of bulletins today, I thought we'd see the 'Big One,'" said Mike Murray, director of research at vulnerability management vendor nCircle. "A worm like Blaster or Nimda or Code Red. But it's not there. The big thing today, I think, is that well more than half require client-side user interaction. It looks like the trend toward client-side vulnerabilities is really sticking."Others were awed only by the sheer number of fixes that individual Windows users and corporations were expected to deploy.

"Just the volume of it is impressive," said Amol Sarwate, the manager of Qualys Software's vulnerability lab. "If it was just one vulnerability, you could send an e-mail to workers saying 'Don't open Word documents until we patch this.' But you can't do that today. You'd have to tell them not to open Word documents and PowerPoint files and Windows Metafile images. You'd have to tell them to just stop working."

The long-awaited fix for Microsoft Word -- which had been exploited weeks ago using an unpatched vulnerability -- was tagged as MS06-027. For the first time, Microsoft admitted that Word 2000 was also vulnerable to the attack, and described the bug.

Some security experts had worried that once Microsoft put out a patch, hackers would reverse-engineer the fix to figure out how to create an exploit. (The attacks disclosed in May were limited to a few enterprises; the exploit was never made public.) "There's a bit of damned if you do, damned if you don't," said Murray, "but the vulnerability doesn't present that much more risk today, even if attackers reverse engineer the patch, because now you can protect yourself."

The bulletin affecting Internet Explorer -- MS06-021 -- boasted the most vulnerabilities: 8. The bugs impact IE 5.01 and 6.0, and include 5 that could let attackers execute code remotely, 2 that could lead to personal information being disclosed in a phishing-style fashion, and 1 that would let attackers spoof a legitimate Web site.Three bulletins -- MS06-022, MS06-024, and MS06-026 -- patch graphics rendering bugs in Windows, a long-time problem that Microsoft's operating system (and to some degree, Linux) has faced over the last year or more. The three plug holes in the processing of ART, PNG (by Windows Media Player), and Windows Metafile images, respectively.

Other fixes called out by Murray and Sarwate included MS06-025 and MS06-032. The first, which involves Windows Routing and Remote Access service, is tagged "critical," but the second, which patches a TCP/IP bug, is labeled as only "important."

Although Murray said that MS06-025 has characteristics similar to the 2005 vulnerability that led to the Zotob worm -- really the last major worm no-user-interaction-required worm outbreak -- because the service isn't turned on by default in Windows, it's "pretty mitigated."

Sarwate, however, thought that both MS06-025 and MS06-032 should be patched as soon as possible. "These are serious. I don't think you should depend on intermediate routers to filter the malformed packets [attackers would use in an exploit]. You should be proactive and patch."

"One good thing," concluded Murray, "is that even with this many patches, the pickings aren't that severe."We've definitely seen a sea change. In 2002 we had bigger fish to fry, we were worried about Blasters and Code Reds. Now it's all about vulnerabilities that require users get involved.

"But we can't dismiss the threat just because of that."

As usual, users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).