Microsoft Releases 11 Updates for Patch Tuesday, 6 Critical

Altogether the critical updates -- which affect numerous versions of Windows, including Vista -- fix errors found in Windows Image Color Management System, ActiveX control, Microsoft Excel, and Microsoft PowerPoint, Microsoft Office filters and Internet Explorer. All of the critical vulnerabilities resolved by the update could potentially allow remote code execution.

Included in the security bulletin are fixes for an ActiveX as well as a cumulative patch for Internet Explore -- both of which fixed critical flaws that could enable an attacker to unleash malicious code on users' computers if they visited a specially crafted Web page. Once the malicious payload was installed, the attacker could then gain full login privileges and take complete control of an affected machine.

Security experts say that this patch bundle included numerous client side vulnerabilities that could open the door for exploitation via malicious Web sites.

"They're trying to get you to go to one of those sites," said Jason Miller, security data team leader for Shavlik Technologies. "You're unpatched and you click on one of these links, you can get yourself infected."

Also repaired by this month's bulletin, were several critical errors that could allow remote code execution if a user were to open a malicious word document or attachment. A patch fixing vulnerabilities in Microsoft Excel prevents users' computers from becoming infected if they open a specially-crafted Excel file, while another fix protects users who download a malicious PowerPoint file.

"It's another attack vector," said Miller. "They're less effective, versus trying to create a Website that has been programmed to take advantage of those vulnerabilities."

Included in this patch load were also fixes for vulnerabilities in image files, which could allow an attacker to execute code remotely by enticing a user to open a specially crafted image file using Microsoft Office.

Meanwhile, another update repairs a flaw in the Image Color Management system that could enable a remote attacker to launch malicious code in order to log on and then take complete control of an affected system. The attacker could then install programs, alter data or create new accounts with full user privileges.

Updates deemed important in the security bulletin incorporate five fixes for multiple flaws in the Windows Internet Protocol Security, Event System, Outlook, Windows Mail, Windows Messenger and Microsoft Word.

While only given an "important" ranking, the Microsoft Word vulnerability could potentially be exploited remotely if a user were to open a specially crafted Word file.

While not enabling remote code execution, vulnerabilities reported in Windows Messenger, IPsec Processing Policy, and Outlook Express could allow an attacker to acquire passwords, retrieve contact information, view encrypted network traffic and initiate audio and video chat sessions without the permission or knowledge of the authorized user, if left unpatched.

So far, there are no known cases of active attacks in the wild, however security experts recommend that users patch their systems as soon as possible, warning that attackers will likely start creating Websites designed to exploit the newly-publicized vulnerabilities.

"It's only a matter of days before (attackers) start figuring out how to make Websites like this," said Miller. "Just patch it. If something breaks, then address it."