Microsoft issued a monster security bulletin for its June Patch Tuesday release, fixing a record 31 security flaws in a total of 10 updates.
Altogether, the patches repaired numerous vulnerabilities in Microsoft Windows 2000, Vista, XP, Windows Server 2003 and 2008, Office and multiple versions of Internet Explorer, including IE8, with six of the 10 patches designated for errors deemed critical.
Critical flaws indicate that the flaw enables hackers to launch malicious code in remote attacks.
One error in the patch load, given the less severe ranking of "important," was found to be exploited in the wild. The glitch occurred in Internet Information Service (IIS) and opened the door for attackers to gain unauthorized access to a Web server in order to view or steal personally identifying and financial information. The attacker could infiltrate a system by sending a malicious HTTP request to a Web site that requires authentication.
Security experts said that a worst-case scenario in an IIS exploit would enable a hacker to access user names and passwords for other accounts on the server, which could then be used to launch a malicious attack on the server itself.
Microsoft first disclosed the IIS issue in May, indicating that the company was able to identify the vulnerability and repair it within a matter of weeks. Security experts said that Microsoft's response often depends on the nature of the vulnerability and whether it is being actively exploited in an attack.
"The speed at which (Microsoft) is going to patch something depends on the nature of the vulnerability. With this IIS one, there could be two scenarios -- possibly they had the issue reported to them previously, or it could have been something so trivial they were able to do it quickly," said Steve Manzuik, senior manager of security research for Juniper Networks. "While they're never fully secure, they've raised the bar [for attackers to] find vulnerabilities."
Microsoft's June security bulletin also contained fixes for critical Office glitches in Microsoft Word and Excel, all of which left systems vulnerable to remote code execution if a user opened a malicious Excel or Word file. Meanwhile, security experts said that attacks have trended toward file-format vulnerabilities.
"If I'm a bad guy, I'm better off doing a social engineering attack, and enticing you to open an attachment," Manzuik said.
Included in the security bulletin was a patch repairing critical errors in Active Directory, which could be exploited when running Windows XP Professional and Windows Server 2003, and could allow an attacker to launch malicious code with the intention of taking control of a user's computer to view or steal personal and financial information.
In addition, the patch load included a comprehensive update for its Web browser IE including IE8, which shipped in March, repairing a total of seven vulnerabilities. The flaws enable attackers to execute malware on a victim's machine by luring them to view a malicious Web page using IE, typically through some social engineering scheme. Attackers could then infiltrate the victim's computer and launch code to steal data or completely shut down an affected system.
Manzuik maintained that the IE bug had the potential to cause the most damage due to the number of flaws coupled with the widespread popularity of the browser.
Other bugs repaired by the patch included critical flaws in the Windows Print Spooler and Microsoft Works Converters, both of which could allow remote hackers to gain entry into an affected system. The patch also fixed "important" vulnerabilities in RPC and Windows Kernel, both of which allow an attacker to gain unauthorized access to a user's system.
