Patch Tuesday: January '06
January 10, 2006
By Pedro Hernandez
Microsoft released two more updates this month, including one for Windows that carries a 'critical' rating.
Windows contains a flaw in the way it handles embedded web fonts (MS06-002), making it possible for malware coders to create an exploit that leads to a remote attack or theft of data if a user is logged in with administrator rights. Affected versions of Windows include 2000 SP4, XP SP1/SP2, XP Pro x64, and Server 2003 SP1/x64/Itanium/Itanium SP1.
Separately, both Microsoft Office and Exchange suffer from a critical TNEF decoding flaw (MS06-003) that can eventually lead to a remote attack. TNEF (Transport Neutral Encapsulation Format) packages message attributes, such as formatting and embedded images, for use by Outlook.
According to the advisory, some versions of Outlook and affected Office (2000, XP SP3, and 2003) language modules are susceptible to a bug that can lead to a client system takeover. Similarly, the bug can also allow an attacker to hack an Exchange 5.0, 5.5 or 2000 SP3 server.
These follow an out-of-schedule update that the software giant issued last week to fix the WMF flaw and render useless the subsequent zero-days that cropped up online. During that gap, sites hosting unofficial patches and workarounds were surging in popularity as administrators weighed their options. Feedback coupled with a quick patch development period prompted Microsoft to issue the fix early.
New WMF flaws have surfaced since, but the Microsoft Security Response Center is filing them under performance issues. While they may cause a WMF application to crash, they do no otherwise affect the OS or grant access to a hacker.
The company's Malicious Software Removal Tool also gets an update this month. New signatures allow the software to detect the Parite virus along with the Maslan and Bofra worms.
Individual downloads are available by following the links contained within the security bulletins or by using Windows Update.
Source or click on the link in EIT Planet's Security News Section