Risk: High
Numerous holes are found in Microsoft products as new patches cover 10 issues, six of which are critical. Full details of all vulnerabilities are available on Microsoft's website at http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx
The six critical vulnerabilities have been found in Windows Shell, Powerpoint, Excel, XML Core Services and Office and if successfully exploited, all could permit remote code execution. One flaw identified was classified as 'important' and was found in the Server service, which could allow Denial of Service attacks or remote code execution. Two 'moderate' flaws were found in ASP.NET and Windows Object Packager, successful exploitation of which could result in information disclosure and remote code execution. The 'low' level issue could permit Denial of Service attacks if successfully exploited, and was found in TCP/IP.
Shortly after Microsoft's October bulletin was released, Microsoft released IE7, and after just one day, the first flaw was found. Microsoft claims that the flaw really lies in MS Outlook, although Secunia, which has classified the flaw as 'less critical', claims that the flaw is in IE7. Secunia's CTO of Security Notification, Thomas Kristensen, said: "The vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector." However, Microsoft's Christopher Budd wrote on Microsoft's official security response blog: "The issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express." The second IE7 flaw wasn't far behind, following just 6 days later. The second issue, also classified by Secunia as 'less critical', could enable phishing attacks to be executed, as it is possible to enter a series of special characters in a URL to make a spoofed pop-up window appear. An attacker could then trick visitors into entering information such as bank account details or passwords.