Microsoft issues patches for flaws

Microsoft issued seven security updates with patches for 11 security vulnerabilities on Tuesday as part of its monthly Patch update cycle. Initially only six security bulletins were planned but one extra update was released to fix two flaws that affect the Windows Media Format.

The company's highest threat level was touched with three updates earning the dreaded rating of critical.

Microsoft provided a patch for a zero-day vulnerability of security of Visual Studio 2005 developer tools. It had already been used in cyber attacks before being disclosed last month. Developers are urged to apply patches to defend their systems from attack.

However, a pair of known flaws in Microsoft Word is being exploited in cruel software and remains unfixed.

IE 5 and 6 users need to upgrade in order to defend themselves against the bug which security vendor Symantec warns might lend itself to attacks that could result in a "complete system compromise".

Another serious flaw stems from an unrestricted buffer in Windows Media Player code involved in handling Advanced Streaming Format (ASF) files.

"While we see Microsoft making an attempt to patch zero-day vulnerabilities, they are still struggling to keep up with the continuous influx of zero-day attacks," said Amol Sarwate, a research manager at vulnerability management company Qualys. "Microsoft is making a genuine effort. However, users are still exposed to attacks via the unpatched Word vulnerabilities."

Other problems that affect the Windows Simple Network Management Protocol service, the Windows Client-Server Run-time Subsystem and the Windows Remote Installation Services are considered to be less serious by Microsoft.

The summary of Microsoft’s patches is available on its website and the fixes will be delivered via Automatic Updates in Windows.