Microsoft Patches Address Five Critical Security Flaws

Slashdot It! Microsoft on Tuesday released six security fixes to address a diversity of bugs in Windows and Office, five of which carry the company's most severe rating: critical. All six vulnerabilities, which were found in Internet Explorer, Microsoft Agent, XML Core Services, the Workstation Service and Adobe's Flash player, allow a hacker to execute code from a remote location.

Active X Bugs

Several of the critical bugs in this month's patch cycle target rendering and Active X controls, part of an ongoing trend tied to the recent dramatic increase in the volume of spam and the evolution of botnets.

Exploits like MS-068 and MS-071 make it easier for hackers to get the browsing community to visit attack sites containing malformed content. MS-069, a Flash vulnerability, allows hackers to create compelling Flash content containing malicious code that can take complete control of a user's system.

Still not addressed exloipt

One threat not addressed in this Patch Tuesday release was the one to Visual Studio 2005 that is currently being exploited to primarily impact developers, said Chris Andrew, vice president of Security Technologies for PatchLink.

That recommended workaround entails the following:

• Preventing the WMI Scripting from running in IE;
• Configuring IE to prompt running Active Scripting or disable Active Scripting altogether;
• Configuring IE to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local Intranet security zones; and
• Setting Internet and Local Intranet security zone options to "high" so as to prompt before running ActiveX Controls and Active Scripting in these zones.