June 2006 Security Updates

Twelve patches-eight critical, three important, and one moderate-were released on the June 2006 “Patch Tuesday” to address a large number of vulnerabilities in a wide range of Microsoft products, including Exchange, Internet Explorer, PowerPoint, Windows, Windows Media Player, and Word. In addition, Microsoft published research on the impact of its Malicious Software Removal Tool. But Microsoft’s improvements in how it distributes updates for vulnerabilities to customers may have been irreparably damaged by a decision to use Windows Update to distribute a prerelease version of its Windows Genuine Advantage Notifications software as a high-priority update.

Critical Patches

While customers need to consider deploying all critical security patches in a timely manner, Microsoft called out several of this month’s updates for special attention. MS06-021, a cumulative update for Internet Explorer (IE); MS06-022, a fix for a remote code vulnerability with ART Image Rendering (ART is an AOL format); and MS06-023, a fix for a remote code vulnerability in JScript, are all vulnerable to similar attacks. Therefore, an attack on any one of these vulnerabilities could be easily adapted for the others, and all three patches should be applied as close together as possible.