View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
December 12, 2006

Redmond patches zero-day flaws but Word risk remains

Microsoft Corp has patched 11 security vulnerabilities, which mostly threatened Windows, by releasing seven security updates, three of which were rated in the highest-risk category of 'critical.'

By CBR Staff Writer

However, industry watchers say two additional critical flaws in Microsoft Word, including one released only a few days ago, have yet to be patched. These are zero-day flaws, which potentially enable a cyber criminal to take control of a user’s entire system. Successful hackers would gain the same user or administrative privileges as its victim. The second of these uncontained flaws was released on December 5.

Two of the critical flaws addressed as part of Microsoft’s monthly Patch Tuesday cycle were zero-day vulnerabilities that is, security holes whose procedure to exploit is well-known.

Hackers can write for the flaw but there is no badge available to fix it, said Amol Sarwate, manager of vulnerability labs at security outfit Qualys Inc. They can take full control of the machine.

Earlier this month, Microsoft advised that it would be releasing six security updates today, but since added a seventh to address one of these zero-day bugs in Windows Media Format, said a company spokesperson.

We have been working on an update for the Windows Media Format [called MS06-078] and were able to meet the quality bar necessary for release. Because of this, we were able to add it to the December release, said the spokesperson.

Microsoft’s second zero-day flaw update, MS-06-073, plugs a hole in Visual Studio 2005 developer tools. Unlike the Windows Media flaw, this vulnerability has been exploited, Microsoft confirmed.

Both of those flaws cause remote code execution, which means malicious code is executed on a victim’s machine. The attacker can execute arbitrary code on the user’s machine, which gets compromised, Sarwate said. What those instructions are depends on what the attacker wants to put there.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Disturbingly, these are the same types of vulnerabilities in the pair of Word flaws not yet patched by Microsoft, Sarwate said.

A third critical updated was patched yesterday, MS-06-072, for Internet Explorer. It was an accumulated update with fixes for four different flaws, one of which was remote code execution, Sarwate said. It was not, however, a zero-day flaw.

Less serious problems, as classified by Microsoft, affected Outlook Express, the Windows Client-Server Run-time Subsystem, the Windows Simple Network Management Protocol service and the Windows Remote Installation Services. All were addressed in yesterday’s update.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.