Sept. 2006 Security Updates

Three patches-one critical, one important, and one moderate-were released on the Sept. 2006 “Patch Tuesday” to address vulnerabilities in Windows and Office. In addition, Microsoft rereleased two critical patches from last month’s Patch Tuesday, one of which is now on its third version in a month. This month Microsoft also worked to close a hole in its copy-protection mechanism for digital audio and video.

Critical Patches

The critical patch fixes a vulnerability in the way Microsoft Publisher, a product sold in some editions of Office and on a stand-alone basis, opens .PUB files (which store Publisher data). A malformed .PUB file could corrupt system memory in such a way that an attacker could execute arbitrary code and take full control of the computer. A side effect of the update for Publisher 2000 or Publisher 2002 is that users will not be able to open Publisher 2.0 files anymore.

The important update fixes a vulnerability in a network protocol called Pragmatic General Multicast (PGM)-a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is used by the Microsoft Message Queuing Service, among others. An exploit for this vulnerability would allow a user to run programs in the LocalSystem security context, which has full administrative privileges.