Patch Tuesday fixes two problems

By

Less than a week after releasing an out-of-cycle security patch, Microsoft got back on schedule by making two other patches it deemed “critical” public as its January “Patch Tuesday” bulletin.

The Redmond, Wash., company released its second patch of the year, MS06-02, to fix a vulnerability in embedded web fonts. The flaw, which could allow for remote code execution, was reported by eEye Digital Security, Microsoft said.


An attack using this vulnerability would require tricking a user with a phishing email or other technique, said Alain Sergile, product manager for Internet Security Services' X-Force team.

"For this type of attack, there needs to be some kind of user interest," he said.

Microsoft's third patch of the month, MS06-03, was released to fix a TNEF decoding vulnerability in both Microsoft Office and Outlook. Remote code execution is also possible through this flaw, the company said.

John Heasman and Mark Litchfield of NGS Software reported the flaw to Microsoft, the computing giant said on its website.

MS06-03 would be of particular interest to corporate PC users, Sergile said.

"The patch for the TNEF flaw is very important because it affects Exchange, which is a major product used in corporate America," he said.

Russ Cooper, senior information security analyst with Cybertrust, said he believed Microsoft was right to release the WMF patch last week and follow up Tuesday with these two fixes, but said he didn't want to see the monthly patch cycle changed.

"That's what you get when a company is faced with an awful lot of hype," he said. "Nothing with the WMF flaw amounted to anything near that kind of hype. But I don't want to see Microsoft shortening their cycles because of a lot of media attention."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?