For July's Patch Tuesday, Microsoft released seven security bulletins, five of which it has rated critical. (The remaining two are important threats.) The vulnerabilities apply to virtually every Office component in current use, including Mac applications and even Microsoft Works.
Details
In addition to the rather esoteric threats we often see on Patch Tuesday, this month's batch includes multiple critical flaws in Office components that can lead to remote code execution. Consequently, everyone — not just companies with large network installations or those using advanced features — should carefully review the July updates. Basically, if your organisation uses or supports any Microsoft product, you need to check out these security bulletins.
Critical threats
MS06-035
Microsoft Security Bulletin MS06-035, "Vulnerability in Server Service Could Allow Remote Code Execution", addresses a remote code execution threat and an information disclosure threat. These are newly discovered threats.
This is a critical threat to Windows 2000, Windows XP and Windows Server 2003 platforms — including systems with all service packs installed — but it doesn't affect Windows 98, Windows SE and Windows ME systems. This bulletin replaces Security Bulletin MS05-027 for Windows XP and Windows Server 2003 systems.
MS06-036
Microsoft Security Bulletin MS06-036, "Vulnerability in DHCP Client Service Could Allow Remote Code Execution", addresses a buffer overrun vulnerability in the Dynamic Host Configuration Protocol (DHCP) client service. This is a newly discovered remote code execution threat, which an anonymous user can exploit remotely.
This is a critical threat to Windows 2000, Windows XP, and Windows Server 2003 platforms — including systems with all service packs installed — but it doesn't affect Windows 98, Windows SE, and Windows ME systems. Using a static IP address will mitigate the danger, but this approach also opens your systems to other threats. You can also disable the DHCP Client service via Control Panel | Administrative Tools | Services.
MS06-037
Microsoft Security Bulletin MS06-037, "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution", addresses multiple Excel vulnerabilities that can allow remote code execution. Some of the holes patched by this update are publicly disclosed vulnerabilities.
It's important to note that this bulletin affects all newer versions of Excel and Microsoft Office, including those running on the Macintosh platform. However, this bulletin is a critical threat for Microsoft Excel 2000 on Windows platforms only. For all other affected versions, this is only an important threat.
MS06-038
Microsoft Security Bulletin MS06-038, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution", addresses another remote code execution threat that affects almost all Office components (including Viewer, FrontPage, OneNote and even Visio). Some of the holes patched by this update are publicly disclosed vulnerabilities.
This bulletin affects Office 2003 SP1, Office 2003 SP2, Office XP SP3 and Office 2000 SP3; it also affects individual Windows applications, including Project 2002 SP1, Visio 2002 SP2, Project 2000 Service Release 1, Office 2004 for Mac, and Office v. X for Mac. The vulnerabilities addressed by this bulletin do not affect Microsoft Works Suite 2004, Works Suite 2005 or Works Suite 2006.
While the vulnerabilities covered by this bulletin…
