Microsoft issues critical updates, patches DNS zero-day flaw

By Robert Westervelt, News Editor 08 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server. Richard Linke,  independent security consultant

The patches were released on Tuesday as part of its monthly Patch Tuesday update cycle. If exploited, Microsoft said the critical flaws could allow an attacker to take complete control of a system.

The DNS Server Service flaw, which has been attacked on a limited scale in recent weeks, has been troublesome to some IT pros because DNS servers resolve domain names to the actual IP addresses of the Web servers hosting the requested sites.

Rich Linke, a Chicago-based independent security consultant and former global security manager at Kraft Foods said security pros will likely get to work on patching Exchange server and deploying the zero-day DNS server updates. Flaws in Internet Explorer and Excel also could "pose issues from a deployment standpoint," and be a sizeable push to the desktop, Linke said.

"Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server," he said. "The DNS noise level calmed down quite a bit over last seven to ten days, so we didn't expect the update to come out of cycle."

Microsoft DNS zero-day: Microsoft to release DNS patch Tuesday: In addition to a fix for the DNS Server Service flaw, Microsoft plans to patch critical flaws in Windows, Office, Exchange, CAPICOM and BizTalk. DNS worm strikes at Microsoft flaw: A new worm called Rinbot.BC exploits the Microsoft DNS flaw by installing an IRC bot on infected machines and scanning for other vulnerable servers. Microsoft investigates DNS server flaw: Attackers could exploit a DNS flaw in Microsoft Windows 2000 Server and Windows Server 2003 and run malicious code on the system. A workaround is suggested until a patch is issued.

A remote code execution vulnerability in Microsoft Exchange affects Multipurpose Internet Mail Extensions. In an advisory issued to customers, Symantec called the vulnerability one of the more critical issues of the month.

"A successful attack could completely compromise the computer hosting the vulnerable Exchange server and has the potential for impacting a large audience," Symantec said.

Microsoft also issued patches plugging four critical vulnerabilities in Internet Explorer that could be exploited by an attacker when a user visits a malicious Web site. The flaws are in IE 6 and 7 and include a Property Type Memory Corruption Vulnerability and HTML Objects Memory Corruption.

"As we reported in the recent Internet Security Threat Report, attackers are continuing to leverage browser and application vulnerabilities and social engineering tactics to gain access to computers in order to execute malicious code," Oliver Friedrichs, director, emerging technologies, Symantec Security Response said in a statement.

Critical Vulnerabilities in Microsoft Word, which included an RTF parsing, a document stream and an array overflow flaw were plugged. Microsoft Word versions 6.0 and earlier were affected. A record vulnerability and set font flaw in Microsoft Excel was also patched. The flaws in both Word and Excel could be exploited by an attacker to gain control of a computer.

"Since the Microsoft Office vulnerability is entrusted in Web applications, like Internet Explorer, these patches are critical and should also be prioritized and deployed quickly," said Paul Zimski, senior director of market and product strategy for Scottsdale, Az.-based PatchLink.

Microsoft also released a non-security, high-priority update for Windows on Windows Update (WU) and Software Update Services (SUS) and non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

For more information, Microsoft held a Webcast about the latest update.

Tags: Securing Productivity Applications,  Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Windows Security: Alerts, Updates and Best Practices Microsoft to address 12 vulnerabilities, IE display zero-day Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary