Microsoft fixes two zero-day flaws

By Bill Brenner, Senior News Writer 12 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft fixed zero-day flaws in Visual Studio and Windows Media Player Tuesday, but recently-disclosed zero-day vulnerabilities in Word remain unpatched for now.

In all, Microsoft released seven security updates. Three address critical problems while four are for issues the software giant deems "important." The patch batch shows how Microsoft is racing to keep up with a steady stream of zero-day threats. The Windows Media Player flaw was just disclosed last week, while the Visual Studio threat appeared in early November.

Zero-day threat: Zero-day tracker a hit, but IT shops need better strategy Microsoft suffers third zero-day in a week Zero-day attacks target Microsoft Visual Studio

Despite the company's speed in dealing with the problem, one security expert said it remains extremely difficult for Microsoft to stay on top of threats that seem to appear at least once a week.

"While we see Microsoft making an attempt to patch zero-day vulnerabilities, they are still struggling to keep up with the continuous influx of zero-day attacks released closely proceeding and immediately following the patch cycle," Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said in an emailed statement.

Three critical fixes
Three security updates fix critical problems attackers could exploit to take full control of targeted machines. Microsoft said an attacker who does this "could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS06-072 fixes four Internet Explorer flaws attackers could exploit by constructing a malicious Web site and luring users to it. They are vulnerabilities that:

• Surface during attempts to access previously freed memory when handling script errors in certain situations.
• Surface when Internet Explorer interprets certain DHTML script function calls.
• Surface when the browser's drag-and-drop operations are handled in certain situations.
• Could allow the path to cached content in the TIF folder to be disclosed.

An attacker who successfully exploits the latter two flaws could retrieve files from the Temporary Internet Files (TIF) folder on a user's system, Microsoft said.

MS06-073 fixes a previously-disclosed zero-day flaw in Visual Studio 2005 that has already been targeted by attackers. The problem is in the WMI object broker control that the WMI wizard uses in Visual Studio 2005.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

MS06-078 fixes two Windows Media Player flaws, one of which was disclosed as a zero-day flaw last week.

The first problem is in how the program handles advanced systems format (.asf) files. "An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an email message with malicious content," Microsoft said.

The second problem, disclosed last week, is in how the program handles certain elements contained in advanced stream redirector (.asx) files. "An attacker could exploit the vulnerability by constructing a specially crafted .asx file that could allow remote code execution if a user visits a malicious Web site, where specially crafted .asx files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted .asx file," Microsoft said.

Four important fixes
The rest of this month's security updates are for problems Microsoft rated as important.

MS06-074 fixes a memory corruption flaw attackers could exploit in Windows' SNMP service to take complete control of the affected system.

MS06-075 fixes a flaw in how Windows starts applications with specially crafted file manifests. A logged-on user could exploit the flaw to take complete control of the system.

MS06-076 fixes an Outlook Express flaw attackers could exploit by sending the user a corrupt Windows Address Book file.

MS06-077 fixes a flaw in the Remote Installation Service (RIS) that enables a TFTP service on the server. Attackers could exploit this condition to overwrite existing operating system files or upload a specially crafted file. "This could allow an attacker to compromise operating system installs offered by the RIS server," Microsoft said.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary