3 Microsoft Security Bulletins for January 2006

Microsoft released three security updates for this month:

MS06-001--Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

This is the same bulletin that was originally released early (on January 6) because of the prevalence of attacks already exploiting yet another vulnerability in Windows' graphics rendering engine. This high-priority patch should be loaded as soon as possible. For analysis of system types most affected as well as workarounds, go to

http://www.ultimatewindowssecurity.com/bulletinarchives/MS06_001.html

MS06-002--Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

This HTML-content vulnerability exploits a buffer overflow in Microsoft Internet Explorer's (IE's) embedded Web font processing. For recommendations about patch deployment, workarounds, and demonstrations of how embedded Web fonts work, go to

http://www.ultimatewindowssecurity.com/bulletinarchives/MS06_002.html

MS06-003--Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

This vulnerability is particularly dangerous because it can directly impact servers and because it allows the attacker to take the offensive with direct, targeted attacks instead of the "bait-and-wait" attacks common to the recent spate of graphics rendering engine attacks. Most organizations will want to load this patch on all systems that have Microsoft Office 2000, XP, or 2003 or Microsoft Exchange Server 5.x or 2000. For more details, go to

http://www.ultimatewindowssecurity.com/bulletinarchives/MS06_003.html