Microsoft Crushes Just Three Bugs In September's Patch Batch

The single critical flaw was described in security bulletin MS06-054, which outlined a bug in Microsoft Publisher, the entry-level desktop publishing program included with some editions of Office. The remaining pair of patches, which fixed problems in various versions of Windows, were judged "Important" and "Moderate," Microsoft's second- and third-from-the-top rankings, respectively.

In the three months from June through August, Microsoft published 31 security updates and patched 62 bugs, 41 of which were critical. September's patch tally was less than one-twentieth of that issued during the summer.

Perhaps the breather will give enterprise a chance to catch up on their patching, said Minoo Hamilton, a senior security researcher with nCircle. "Patching is hard no matter what, even if it's a light month," said Hamilton. "Things fall off the plate all the time."

Jonathan Bitle, product manager at security company Qualys, agreed. "This is a welcome respite from the large releases of the last months. I think a lot of people are looking forward to making good use of the time."

The flaw in Office Publisher 2000, 2002, and 2003, said Microsoft, affects users of some editions of Office 2000, Office XP, and Office 2003. The bug lies in the way the application parses files. "An attacker could exploit this vulnerability when Publisher parses a file with a malformed string," Microsoft said in the bulletin. A successful exploit -- which could come as a document sent via e-mail or via a malicious Web site -- would give the attacker full access to the PC.

Even after the patch is applied, however, the older versions of Publisher -- 2000 and 2002 -- may still crash if they're used to open a specially-crafted file. "Publisher may potentially crash but will not be exploitable," Microsoft acknowledged in the bulletin.

According to Microsoft, the Publisher bug has not been exploited in the wild. That's a departure from a number of other Office-related vulnerabilities which have been patched since May; in all those cases, attackers were already using the vulnerability before Microsoft could issue a patch.

Hamilton noted that the disclosed flaw was similar to those announced earlier for other Office applications, but said that the risk was actually smaller this time. "It is the most critical [of the three], but [the vulnerability] has a small footprint because it's in Publisher." Although Publisher 2003 is included in 3 out of the 5 Office 2003 SKUs, for instance, it's missing from the two least-expensive versions: Standard Edition and Student and Teacher Edition.

The remaining bulletins, MS06-052 and MS06-053, were labeled as "Important" and "Moderate," respectively.

The first of the pair addressed a bug in Windows XP (both SP1 and SP2), specifically in a protocol dubbed PGM (for Pragmatic General Multicast). Although an attacker could exploit the flaw relatively easily -- by Microsoft's admission, "any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability" -- the company judged it a less-than-critical risk because the service isn't turned on by default.

In fact, PGM is a rather obscure protocol. "I think of myself as a Windows expert," said Hamilton, "and I've never even heard of it."

MS06-053, meanwhile, was ranked even lower on the threat scale. The vulnerability is in Windows' Indexing Service, which is used to create indexes of content held in file systems and virtual Web servers. But even though it's tagged as a "Moderate" risk, Hamilton said users should patch all affected servers.

"The cross-scripting vulnerability [in Indexing Service] may support phishing or data theft," he said. "We're all more sensitive to data theft than we were a year ago."

Not fixed by Tuesday's patches was the most recently-acknowledged bug in Microsoft Word, a flaw already being used by attackers. "There isn't anything tremendous here," said Amol Sarwate, the manager of Qualys' vulnerability lab. "But neither is there a fix for the Word vulnerability."

Nor should Windows users let down their guard simply because the load was light this month. "In the last two release cycles, almost directly on the heels of the patches, we've seen people release exploits," said Bitle. "Although enterprises should be able to take advantage of the small number of patches, everyone should be on the watch for exploits immediately following the updates, or a fix for the Word [2000] issue."

Users can obtain Tuesday's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company offers, including Windows Server Update Services (WSUS) and Software Update Services (SUS).