Microsoft Issues Trio Of Critical Patches
Noticeably absent from this month's patch release, however, were fixes for the two zero-day vulnerabilities that surfaced in Microsoft Word over the past week.
In update MS06-078, the Redmond, Wash.-based software giant fixed a pair of remotely exploitable flaws in the Windows Media Player library, one affecting Advanced Systems Format (ASF) files, the other Advanced Stream Redirector (ASX) files. Attackers could exploit the latter by creating a rigged ASX file and posting it on a Web site configured to use Windows Media Player or by getting a user to click on a link to a doctored ASX file, Microsoft said.
In a post on its Zero Day Tracker site, eEye Digital Security said that because ASX files are auto-opened when viewed in a Web browser, the flaw could be widely exploited through the use of rigged Web pages or e-mail. eEye recommended that users configure Windows Media Player not to automatically open ASX files.
In update MS06-072, Microsoft patched four vulnerabilities in Internet Explorer, two of which are remotely exploitable and could enable an attacker to take over an affected PC and wreak havoc. MS06-072 replaces an earlier update, MS06-067, and includes improvements to the Internet Explorer Pop-up Blocker that Microsoft began shipping with Windows XP Service Pack 2.
In update MS06-073, Microsoft fixed a remote code execution flaw in an ActiveX control used in Visual Studio 2005 that could also be exploited through a rigged Web page.
And in four additional updates labeled as "important," Microsoft fixed remote code execution flaws in the Simple Network Management Protocol (SNMP), Remote Installation Service (RIS) and Outlook Express, as well as a Windows privilege escalation vulnerability.