Microsoft Plugs 'Critical' Office Security Leak September's Patch Tuesday Delivers Three Patches Ed Sutherland
Software giant Microsoft (Quote, Chart) has released three security bulletins, one of which is aimed at correcting a critical flaw in Microsoft Publisher 2000.
The critical patch, MS06-054, cures a security risk posed by a malformed Publisher file.
If a user is logged in with administrative rights, attackers could take control of a system, deleting or changing data, according to Microsoft
A second patch, deemed "important," is aimed at Windows XP users. Security bulletin MS06-52 is meant to solve a denial-of-service vulnerability in the Windows Reliable Multicast Program (PGM) component of the operating system.
Although not installed by default, the PGM flaw could enable attackers to wrest control of a system by sending a malformed message, according to Microsoft.
The final patch is rated "moderate," meaning Windows XP, Windows 2000 and Windows Server 2003 users should consider applying it.
Security Bulletin MS06-053 fixes a vulnerability in the indexing service that could allow cross-site scripting.
The flaw could allow an attacker to gain access to information that later could be used to compromise a system.
The index service lies at the core of Windows systems, indexing the contents of IIS Web servers, as well as filesystems.
The patch replaces MS05-003, first released by Microsoft on January 11, 2005.
Microsoft also re-released two critical patches.
MS06-040, first introduced on Aug. 8, fixes a buffer over-run vulnerability in Windows.
MS06-042 is a cumulative patch addressing 10 flaws in Internet Explorer 5.01 and Internet Explorer 6.
Some believed this month's Office patch might address a flaw in Word 2000, which Microsoft earlier this month said it was investigating.
The zero-day flaw could allow attackers to corrupt system memory and execute arbitrary code by opening a malicious Word file or visiting a special Web site.
The patches could come as welcome relief to Windows users who had become accustomed to applying half-a-dozen or more security fixes each month.
Last month, Microsoft unveiled a dozen patches, nine deemed of "critical" importance.
