Microsoft releases seven security patches

Computerworld - As part of its monthly roundup of security patches for July, Microsoft Corp. today released seven bulletins detailing fixes for vulnerabilities in a wide range of its products.

Five of the bulletins address critical vulnerabilties, while two provide fixes for less severe flaws. Among the critical flaws disclosed today are two that exist on the server side.

One is a vulnerability in the Windows Server Service that could allow hackers to remotely execute code on compromised systems. The other critical server flaw involves the Window Dynamic Host Configuration Protocol Client Service. It, too, could result in remote code execution, according to Microsoft.

"DHCP is a communication protocol that allows administrators to centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization's network," security vendor Symantec Corp. said in an advisory after the updates were announced.

"Therefore, one compromised system could affect other systems connected to it on the same physical network," the advisory said, adding that users of Windows 2000, Windows XP and Windows Server 2003 may be affected by the flaw.

Meanwhile, the updates for client-side vulnerabilities included one that addresses several vulnerabilties in Microsoft Excel and another that fixes two flaws in Microsoft Office. The third critical client-side update details fixes for two holes in Microsoft Office Filter that could allow attackers to remote-compromise vulnerable systems.

Easily the most serious of the flaws disclosed today is the one affecting the Server Service, said Mike Murray, director of vulnerability research at nCircle Network Security Inc., a security vendor based in San Francisco. The service basically allows computers to communicate with each other. The flaw allows attackers to potentially send malformed communications over Ports 455 or 139 and lets them take complete control of vulnerable systems, he said.

The DHCP flaw is also serious, but requires the attacker to be on the same network as the vulnerable system, Murray said.

Meanwhile, today's updates provide another indication of growing client-side security threats, said Amol Sarwate, manager of vulnerability management at Qualys Inc., a managed security service provider in Redwood Shores, Calif.

"This trend of client side vulnerabilities -- where attackers are creating malformed image files or Excel files that are sent to users via e-mail or hosted on Web sites -- has been increasing" since the beginning of this year he said.

Over the past month, Microsoft has investigated a number of issues related to Excel and Office, following reports that hackers had launched a targeted attack against an unnamed government contractor by taking advantage of a bug in the Excel spreadsheet software.

The seven patches will keep administrators busy, although not so busy as in June. Last month, Microsoft released 12 security updates.

Robert McMillan, of the IDG News Service, contributed to this report.