Microsoft released seven patch bulletins for its December 2007 security update Tuesday, addressing critical flaws attackers could exploit to launch malicious code or gain extra system privileges on computers running DirectX, Internet Explorer (IE) and various versions of Windows.
Microsoft rated three updates critical, which means attackers could exploit the flaws to execute arbitrary code without user interaction and potentially hijack the targeted machine. They are:
MS07-064, which addresses two Microsoft DirectX flaws attackers could exploit to execute malicious code if the user opens a specially crafted file used for streaming media in DirectX. DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video.
MS07-068, which addresses a Windows Media File Format flaw attackers could exploit to execute malicious code if the user views a specially crafted file in Windows Media Format Runtime.
MS07-069, a cumulative IE update that addresses four flaws. Attackers could exploit the most serious of these to run malicious code on targeted machines when the user views a specially crafted Web page with Internet Explorer. Microsoft said the security update is rated moderate for Internet Explorer 6 and 7 on Windows Server 2003, but is critical for all other supported releases of the browser.
Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based Lumension Security, said users should treat MS07-068 and 069 with the greatest urgency.
"Because of the media player component in MS07-068, you're looking at probably the largest attack vector, and the lesson of MS07-069 is that you have to be careful with Internet Explorer even if you're running it on a Vista machine," he said.
Eric Schultze, CTO of Shavlik Technologies LLC in Roseville, Minn., said IT administrators should deploy the IE update first since the flaws are already being exploited in the wild. He also suggested that IT shops continue to move slowly in deploying Vista, given the number of Vista-related issues this month.
Microsoft rated four updates as important, which typically describes flaws attackers could exploit to compromise the confidentiality, integrity or availability of user data or the integrity or availability of processing resources. They are:
MS07-063, which addresses a Windows Vista flaw connected to Server Message Block Version 2 (SMBv2). Microsoft said the flaw could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. Schultze said this flaw is an example of how Microsoft failed to weed out all the coding flaws when developing the latest version of Windows.
MS07-065, which addresses a flaw in the Message Queuing Service (MSMQ), which attackers could exploit to execute malicious code or gain elevated system privileges on Windows 2000 Server, Windows 2000 Professional and Windows XP. An attacker must have valid logon credentials to exploit this vulnerability, Microsoft noted.
MS07-066, which addresses a Windows Vista flaw connected to the Windows kernel. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft warned.
MS07-067, which addresses a local privilege elevation flaw in how the Macrovision driver in Windows handles configuration parameters. An attacker who successfully exploited this vulnerability could take complete control of the system, and the problem specifically affects Windows XP Service Pack 2, XP Professional x64 Edition; Windows XP Professional x64 Edition SP2; Windows Server 2003 SP1; Windows Server 2003 SP2; Windows Server 2003 x64 Edition; and Windows Server 2003 x64 Edition SP2.