Microsoft pushed out six patches today fixing nine vulnerabilities, including three flaws being actively exploited and one that, experts suggest, is only days away from proof-of-concept code.
Security researchers said the patches - five labeled critical, one important - highlight a continued trend toward client-side vulnerabilities with attackers building armies of botnets to launch spam, phishing and DoS attacks.
"Overall, we're seeing a shift from server-side vulnerabilities to client-side vulnerabilities," Michael Sutton, security evangelist at SPI Dynamics, told SCMagazine.com today. "We used to think client-side (flaws) were not so severe because they involved social engineering, trying to get the user to perform some sort of action. We're really starting to change our opinions due to the fact that client-side vulnerabilities are facilitators for phishing and identity theft."
The two fixes that drew the most attention from experts addressed vulnerabilities in XML Core (MS06-071) and Workstation (MS06-070) services.
Microsoft has said attackers were launching limited exploits against a flaw in the XMLHTTP 4.0 ActiveX Control in the Core Services program that could lead to drive-by downloads on Internet Explorer (IE).
Sutton said users should also be wary of two DirectAnimation Path ActiveX vulnerabilities patched in bulletin MS06-067, which were being actively exploited for drive-by attacks.
Recently, more and more bugs are being discovered in ActiveX, used to enhance the functionality of IE, experts said.
"We're seeing a lot of problems with the web browsers," Lamar Bailey, security operations manager of X-Force, IBM Internet Security System's (ISS) research and development team, told SCMagazine.com today. "The browser is getting more sophisticated and the technologies are not as proven yet. People are looking at them and finding ways to exploit them."
While the XML Core Services and DirectAnimation flaws require attackers to persuade users to visit a malicious website, the Workstation flaw - revealed for the first time today - requires no user interaction and could result in a global worm attack, experts said.
Attackers who exploit the vulnerability could take complete control of an affected system, gaining full user rights, the Microsoft bulletin said.
"There is no authentication required," Bailey said. "It is possible to make a worm out of this. We expect to see proof-of-concept and exploit code out of this probably within 48 to 72 hours."
The other critical fixes address vulnerabilities in Microsoft Agent and Adobe's Macromedia Flash Player.
The Flash bug lets hackers "create compelling Flash content that contains malicious code which can take complete control of a user's system," according to nCircle.
One vulnerability that did not see a fix related to a flawed WMI Object Broker ActiveX control in Visual Studio 2005. Microsoft issued a security advisory Oct. 31 and last week began warning of active attacks.
Bailey of IBM ISS said enterprises should not be too concerned because Visual Studio, a Microsoft development platform, is mostly used in IT environments, in which workers are much more careful in how their systems are configured.
Sutton disagreed.
"It's a publicly known issue for which there is exploit code out there," he said. "Visual Studio is a very widely deployed application and is something that has a strong user base."
Enterprises are urged to apply the patches quickly.
"Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible," said Alfred Huger, senior director of development for Symantec Security Response.
In addition to the patches, Redmond rolled out several other updates this month, including a new version of the Microsoft Windows Malicious Software Removal Tool.
Microsoft also noted that it will be offering up two other undisclosed non-security, but high-priority, updates via Microsoft Update (MU) and Windows Server Update Services (WSUS).
The company also announced customers will now be able to receive security updates for XML Core Services through Windows Update and Software Update Services, in addition to MU and WSUS.
Click here to email Dan Kaplan.