Microsoft releases three security bulletins for September

Microsoft released three security bulletins for September's Patch Tuesday, but only one is critical. The other two bulletins patch more minor threats. However, Redmond has yet to release a patch for the known Word 2000 vulnerability, which attackers are already exploiting.
Details

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Well, Microsoft is taking it easy on us at the end of summer, releasing only three security updates for this month. Even the critical threat should have relatively minor impact on many businesses because it mainly affects Microsoft Publisher. However, readers should note that other Microsoft Office applications use some of the affected files, which can cause some minor problems.
MS06-054

Microsoft Security Bulletin MS06-054, "Vulnerability in Microsoft Publisher Could Allow Remote Code Execution," is only a critical threat for users of Office Publisher 2000 Service Pack 3. While this threat also affects Office Publisher 2002 SP3, Office Publisher 2003 SP1, and Office Publisher SP2, it is only an important threat for these versions.

This is a newly reported threat, and there have been no reports of exploits in the wild (CVE-2006-0001). The only workaround is to refrain from opening or saving Publisher files obtained from untrusted sources.

Note: An update to MS06-054 indicates that installing the update will prevent users from accessing Publisher 2.0 files. For more details, see Microsoft Knowledge Base article 924685.

In addition, keep in mind that even though the patch will block attacks exploiting this vector, opening a malformed Publisher file (such as one designed to exploit the vulnerability) after installing the patch can still cause a system crash.

If your organization doesn't use Publisher, it isn't important that you apply the update for security reasons. But if you have Publisher installed and don't install the update, you can expect to get periodic reminders about updating the affected files.
MS06-053

Microsoft Security Bulletin MS06-053, "Vulnerability in Indexing Service Could Allow Cross-Site Scripting," addresses a moderate to low threat caused by a query validation error (CVE-2006-0032). This is a moderate threat for Windows 2000 SP4, Windows XP SP1, and Windows SP2, but it's only a low threat for Windows Server 2003 and Windows Server 2003 SP1.

This is a newly discovered vulnerability, and there have been no reports of exploits in the wild. This bulletin replaces Microsoft Security Bulletin MS05-003 for Windows XP SP1 and Windows Server 2003.

Because this threat only applies to Internet Information Services (IIS), there should be no impact for many users; Windows XP and Windows Server 2003 don't install or enable IIS by default. Read the security bulletin to learn about available workarounds; the most useful one is to simply remove or disable the Indexing Service if it isn't necessary.
MS06-052

Microsoft Security Bulletin MS06-052, "Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution," is an important threat that affects Windows XP SP1 and Windows XP SP2 only. This is a privately reported vulnerability, and there have been no reports of active exploits (CVE-2006-3442).

The Pragmatic General Multicast protocol is only present on systems with Microsoft Message Queuing version 3.0 installed, which isn't part of the default installation. Using firewall best practices should block attacks trying to exploit this vulnerability, but Microsoft reports no known workarounds.
Updates to previously released security bulletins

* Microsoft Security Bulletin MS06-040: Originally released in August, version 2.0 addresses patch problems with Windows Server 2003 and Windows XP Professional x64, as described in Knowledge Base article 921883.
* Microsoft Security Bulletin MS06-042: Also released in August, this Internet Explorer cumulative update has now reached version 3.0, a necessary step to fix a number of problems with the patches.