September Patch Tuesday misses zero-day exploit in MS Word

By | September 13, 2006

Microsoft delivered three bulletins this Microsoft September Patch Tuesday. The code relates to a critical bulletin for Microsoft Publisher, an important bulletin for the pragmatic general multicast (PGM) networking communications and a moderate severity bulletin for the Indexing service.

Alan Bentley, Managing Director of PatchLink EMEA comments: “Microsoft did not release a patch for the zero day exploit in MS Word and it could be another month before the patch becomes available. So far, there has not been any widespread attack on this exploit. However, IT administrators need to protect their network in the meantime and consider implementing the below actions.”

Evaluate their IT environment and make sure they have a deployment infrastructure in place; For this particular Word vulnerability, the best option is for IT administrators to turn on safe mode in MS word; Examine and make sure they have a suitable firewall technology so that they can control the inflow of documents and block documents as well; Use MS Word Viewer instead so when browsing emails and the Internet you can display the document in rudimentary fashion; Communicate to the end user community on what the action plan is for temporary workarounds for this MS Word vulnerability.

MS06-054 – “To exploit the Microsoft Publisher vulnerability, an attacker would need to be logged into Windows with administrative user rights and open a file with a malformed string. The attacker could take full control of the affected system. This is a critical bulletin that all users of Microsoft Publisher should apply.

MS06-052 – Pragmatic general multicast (PGM) communications is an optional feature installed with Windows MSMQ service. Systems where PGM has not been installed are not vulnerable. If PGM has been installed an attacker could use a malformed multicast packet to execute code on the affected system. The attacker would only need to be able to route multicast packets to the affected system to remotely execute code. All Windows system should have this bulletin installed.

MS06-053 – The last of this Tuesday´s bulletins corrects a vulnerability where affected systems could be exploited to gain unauthorised access to information via the Indexing Service. This vulnerability allows an attacker to run a client-side script to spoof content, disclose information or behave as that user on the affected Web site. It is recommended that this bulletin be applied.”

Leave a Reply