News

Microsoft Releases 10 Security Bulletins

• By Scott Bekker
• June 14, 2005

Microsoft's monthly bundle of patches for June is one of the biggest since the company switched to a monthly patching cycle, and it brings fixes for 12 vulnerabilities, including three critical issues.

The Microsoft Security Response Center posted the patches on Tuesday in 10 security bulletins: numbered MS05-025 through MS05-034 . To fix the flaws across its massive matrix of supported operating systems and applications, the company posted 49 different patches to the Microsoft Download Center Monday night and Tuesday morning.

Six of the bulletins addressed flaws that could allow an attacker to take control of a vulnerable system over the Internet. Two of the flaws were public prior to Microsoft releasing a patch, but neither of those issued involved a critical flaw.

The majority of the bulletins, eight, covered problems in the Windows operating system. Individual bulletins addressed issues in such Windows components as Internet Explorer, HTML Help, the Microsoft Agent, the Web Client service, Server Message Block and Telnet.

Three of the Windows bulletins covered critical flaws -- the one for Internet Explorer, the one for HTML Help and the one covering Server Message Block. The HTML Help flaw was also critical for Windows 98/98SE/ME, triggering patches for those older platforms.

Aside from Windows, Microsoft released cumulative updates for Internet Security & Acceleration Server 2000 and for Outlook Express. Security updates also hit for Exchange Server 5.5 and for Services for Unix. The SFU vulnerability is related to the Telnet flaw that affects Windows.

Altogether, Microsoft issued three critical bulletins, four important bulletins and three moderate bulletins on Tuesday.

The Internet Explorer bulletin (MS05-025) and the ISA Server bulletin (MS05-034) each dealt with two flaws. The second IE flaw is moderate in severity and could allow an information disclosure if exploited. Details of that flaw made it onto the Web before Microsoft released the patch, but neither proof of concept code nor known abuse of the flaw have surfaced so far, according to Microsoft.

Both flaws in the ISA Server bulletin allow elevation of privilege, although one of them also involves cache poisoning too. Known within the broader security community as "HTTP smuggling," the vulnerability was also already public before Tuesday. Again, Microsoft says it has not seen public proof of concept code or received reports that the flaw is being abused. The other problem fixed in the ISA Server patch was not made public before Tuesday.

Because Microsoft Small Business Server 2000 and Microsoft Small Business Server 2003 Premium Edition include ISA Server 2000, the ISA Server patch is intended for those server product as well. ISA Server 2004 is not affected by the vulnerabilities.

Microsoft's June security summary, which includes links to each of the individual security bulletins, is available at http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx.

See also, A Look at the Microsoft Security Response Center's Playbook.