Critical Microsoft updates for Windows flaws

It's that time of the month and Microsoft's regular delivery of Windows patches has several that government IT managers may want to start deploying. According to News.com, five of the eight patches are deemed critical. One alert addresses flaws in Adobe Flash, which shipped with Windows XP. The others patch major Windows security holes.

The most urgent issue is a flaw in Microsoft's "Workstation Service" in Windows 2000 and Windows XP, said Amol Sarwate, a research manager at vulnerability management company Qualys. "Attackers can remotely send malicious packets and cause code execution," he said. The problem is described in Microsoft alert MS06-070.

The problem with Workstation Service is that it can't be turned off or protected with a firewall. Sarwate said: "Really, the only solution is to apply the patch as soon as possible," he said.

The problem is most severe for Windows 2000, said Christopher Budd, a security program manager at Microsoft. "There is the potential risk of a worm for Windows 2000 but you don't have that with Windows XP SP 2," he said. The threat to Windows XP is mitigated because of its firewall and different networking technology, Budd said.

A hacker could exploit the Workstation Service flaw by creating a specially crafted message and sending it to a vulnerable computer. "An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said in its security bulletin, which it rates "critical."

Two other vulnerabilities affect Microsoft's Client Service for NetWare and the NetWare Driver, which expose Windows machines to a risk of being used to spawn worms. The good news is that the NetWare software can be turned off.