Microsoft Issues Light Load For 'Patch Tuesday'
Experts say the most serious of this month's Patch Tuesday bulletins includes a critical update in the Jet Data Base Engine, affecting different versions of Windows, including Windows 2000, XP Service Pack 2, XP Professional and Windows Server 2003. Unlike other vulnerabilities bundled in this month's patch release, this update repairs security flaws previously been exploited in the wild.
"They're patching something that has been exploited in the past," said Jason Miller, security data team manager for Shavlik, "That's going to be the most important one because of the different vectors you can be attacked on."
An attacker could potentially exploit the vulnerability by embedding a Microsoft database file inside a word file. In addition, Miller said that an attack could also be successfully delivered through the e-mail preview pane of Outlook 2003 and 2007, where a user could be at the receiving end of an exploit by simply clicking on the message without viewing the full-screen text.
Once opened, the attacker could execute arbitrary code to take complete control of an affected system in order to install malicious programs, alter or delete data or create new accounts with full user privileges.
Along with the Jet Engine patch, another critical bulletin addresses two vulnerabilities in Microsoft Word, affecting multiple versions of Microsoft Office and Outlook 2007.
The security update, which addresses the flaw by modifying the way the application handles Word files, enables a remote attacker to execute arbitrary code on users' computers by enticing them to open a specially crafted Word document.
Because the Word update applies additional protection against exploitation of the Jet Engine vulnerability, experts recommend that both patches be applied in tandem.
Experts say that in particular the vulnerabilities delivered through Word and Outlook applications are considered some of the most severe due to the broad and diverse user base.
"If you're talking about ways of exploiting this vulnerability, opening a word document is pretty easy," said Miller. "These are day-to-day functions that people use."
Meanwhile, security researchers had concerns regarding patches for two vulnerabilities in the Microsoft Malware Protection Engine. While the error was rated "moderate," an unpatched vulnerability provides a remote attacker the potential to compromise malware protection applications. By creating a malicious file, an individual could clog up the system with a denial of service attack, which could cause the Malware Protection Engine to stop scanning infected files.
While the vulnerability was only given a moderate rating, security experts say this flaw is more serious than it appears. The error could open up the gates for a barrage of malicious attacks and exploits by shutting down vital security applications and leaving a system exposed.
"You're talking about a window where your system was not protected," said Miller. "If your system's hung, you could potentially be infected."
Microsoft also released a bulletin addressing a critical error in Microsoft Publisher, which could also allow remote code execution if an attacker successfully enticed a user to open a specially crafted Publisher file.
The final bulletin repaired critical errors in Adobe's Macromedia Flash Player version 6, specifically on Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional.
Experts recommend that users apply the May patches as soon as possible, which can be downloaded on the Microsoft Web site.