Microsoft issues largest patch batch to date

Microsoft has issued patches for 21 flaws in its software, saying all but two of them could let an intruder run malicious code on a compromised computer.

The company sent out a dozen security bulletins on Tuesday as part of its regular monthly patch cycle. Eight of the bulletins are labelled "critical", which is Microsoft's highest risk rating. They cover problems with Windows, Internet Explorer, Word, PowerPoint and Exchange Server.

The number of vulnerabilities mean this is Microsoft's largest clutch of patches to date, security experts said.

Amol Sarwate, the manager of the Vulnerability Management Lab at flaw management specialist Qualys, said: "There has never been a Microsoft security update to address 21 issues and never one with 19 potential remote execution flaws."

The most important bulletin, MS06-025, is a fix for routing and remote access vulnerabilities in Windows, said Jonathan Bitle, a senior product manager at Qualys.

Bitle said: "These [vulnerabilities] take advantage of two listening services that run on the host and listen for traffic coming in through ports that are frequently utilised. While a lot of these [other Microsoft] remote execution flaws require user interaction, this one does not. A user doesn't have to click on a link or open an attachment."

The routing and remote access are deemed critical for systems running Windows 2000, and "important" - the second highest risk ranking - for Windows XP with Service Pack 1 or 2, and for Windows Server 2003 with Service Pack 1.

Qualys is also suggesting IT managers should jump on another patch, for an issue in Microsoft Exchange Server running Outlook Web Access, even though Microsoft has only tagged it as important.

Sarwate said: "If a user checks their email using Outlook Web Access, all they need to do is just open an email in IE and it will cause the script in their email to be remotely executed."

Over the next days and weeks, IT administrators should be busy deploying the bundle of patches across their network, experts said.

Chris Andrew, vice president of security technologies at PatchLink, said: "There are a couple of different vulnerabilities. Some are IE browser problems, some affect Media Player, ART imaging and Jscript. IT managers will probably have to patch every single desktop."

Four of the critical updates deal with security holes that could allow remote code execution in all versions of Windows. One is a cumulative update for the Internet Explorer component, affecting versions 5.01 and 6 of the web browser. Another deals with a problem with Windows Media Player, versions 7.1, 9 and 10. The others cover vulnerabilities in Microsoft Jscript and ART image rendering.

Another critical Windows bulletin, related to bugs in its graphics rendering engine affects Windows 98, Windows 98 Second Edition and Windows Millennium Edition only.

Two updates affecting Office were also given the highest risk rating. A vulnerability in Word also hits Microsoft Works. The bulletin for a flaw in PowerPoint replaces an earlier patch.

Microsoft also issued a fix for an important flaw in Windows' Server Message Block component that could enable attackers to elevate their level of system privileges. The "moderate" bulletins covered an RPC Mutual Authentication problem and a TCP/IP problem in Windows.

Dawn Kawamoto writes for CNET News.com