Microsoft's latest Patch Tuesday update brought six patches, three of which Redmond described as critical fixes.

The critical update covers flaws in Excel, Windows Active Directory, and .NET Framework. All create a possible means for hackers to inject hostile code onto vulnerable systems (remote code execution). Separate security bugs in Internet Information Server (Microsoft's web server software) and Microsoft Office Publisher also carry the same risk but earn a lower classification of "important" from Redmond. Microsoft's security gnomes have also addressed a "moderate" security bug in Windows firewall that creates an information disclosure risk.

Microsoft summary can be found here (http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx). The SANS Institute's take on "Black Tuesday" can be found here (http://isc.sans.org/diary.html?storyid=3120). It reckons that the IIS, Office Publisher and Windows firewall bug flaws merit a higher security classification than assigned to them by Redmond, depending on a user's systems.

None of the flaws patched on Tuesday are the subject of active hacker exploits but security researchers highlight the .NET Framework flaw as potentially the most troublesome.

"The patch for the .NET Framework is the most important patch this month. It has the potential to affect every application running on every operating system that Microsoft is actively supporting today," said Alan Bentley, md of patching and vulnerability assessment firm PatchLink. The Excel vulnerability, since it lends itself to the creation of malware targeting unpatched vulnerabilities, is also a serious concern. he added. ®

Related stories

Microsoft serves light fare on Patch Tuesday (11 September 2007)
http://www.theregister.co.uk/2007/09/11/modest_offerings_for_september_patch_tuesday_/
Coming Tuesday: 5 Microsoft patches (7 September 2007)
http://www.channelregister.co.uk/2007/09/07/microsoft_announces_5_patches_for_september/
Microsoft delivers critical fixes for Windows, IE and Excel (14 August 2007)
http://www.channelregister.co.uk/2007/08/14/august_patch_tuesday/
Microsoft plans six critical patches (9 August 2007)
http://www.channelregister.co.uk/2007/08/09/microsoft_august_patch_tuesday/
Firm finds danger in dangling pointers (26 July 2007)
http://www.channelregister.co.uk/2007/07/26/dangling_pointer_threat/
Java and Flash fixes tax system security (16 July 2007)
http://www.channelregister.co.uk/2007/07/16/flash_java_patches/
Destroying sandboxes (16 July 2007)
http://www.channelregister.co.uk/2007/07/16/sandbox_malware/
MS update sends PCs 'haywire' (12 July 2007)
http://www.channelregister.co.uk/2007/07/12/ms_patch_problems/
A serious browser vulnerability, but whose? (11 July 2007)
http://www.channelregister.co.uk/2007/07/11/ie_firefox_vuln/
MS Patch Tuesday to include trio of 'critical' fixes (5 July 2007)
http://www.channelregister.co.uk/2007/07/05/microsoft_july_patch_tuesday/
Senior execs targeted in 'precision' malware attacks (2 July 2007)
http://www.channelregister.co.uk/2007/07/02/personal_malware/
Of Microsoft Forefront security (2 July 2007)
http://www.channelregister.co.uk/2007/07/02/microsoft_forefront_security/
Rival malware gangs wage turf war (1 July 2007)
http://www.channelregister.co.uk/2007/07/01/malware_gang_war/
Don't touch that Microsoft Security Bulletin email (28 June 2007)
http://www.channelregister.co.uk/2007/06/28/outlook_bug_isnot/
Microsoft security engineer makes top-10 worst jobs list (27 June 2007)
http://www.channelregister.co.uk/2007/06/27/microsoft_security_makes_top_ten_worst_jobs/