The latest 'Patch Tuesday' release includes eleven bulletins which address a total of 20 security vulnerabilties. Four of the bulletins are rated 'critical,' while six more are listed as 'important' and the remaining bulletin categorized and 'moderate.'
Among the critical patches are a fix for a remote code execution flaw in Excel which could an attacker to perform a remote malware installation by way of a speciall-crafted Excel file.
The second critical fix addresses a remote code flaw in Microsoft's Host Integration Server product, while another addresses a problem in the active directory component for Windows Server 2000.
The final critical bulletin is a cumulative update for Internet Explorer which includes remote code execution fixes for IE 5, 6 and 7.
Of the six bulletins rated as 'important,' three addressed remote code execution, including fixes for the Windows Server Message Block and Internet Printing Service, along with a flaw in the Message Queuing component for Windows 2000.
Three more 'important' bulletins fixed privilege-elevation flaws in the Windows Kernel, Virtual Address Descriptor and the Ancillary Function Driver.
The 'moderate' bulletin addresses a vulnerability in Microsoft Office XP SP3 which could be exploited for information disclosure.
According to McAfee security research and communications director David Marcus, the remote code flaws pose the biggest risk to users who do not apply the patch.
"It is the month of remote code execution bugs,” Marcus declared.
"Many of the vulnerabilities addressed by Microsoft's new fixes could allow an attacker to gain complete control over a vulnerable computer by tricking a user to visit a malicious web site or open a rigged Office file.”
Eleven fixes for Patch Tuesday
By Shaun Nichols on Oct 15, 2008 3:37PM