Microsoft issues critical updates, patches DNS zero-day flaw

By Robert Westervelt, News Editor 08 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server. Richard Linke,  independent security consultant

The patches were released on Tuesday as part of its monthly Patch Tuesday update cycle. If exploited, Microsoft said the critical flaws could allow an attacker to take complete control of a system.

The DNS Server Service flaw, which has been attacked on a limited scale in recent weeks, has been troublesome to some IT pros because DNS servers resolve domain names to the actual IP addresses of the Web servers hosting the requested sites.

Rich Linke, a Chicago-based independent security consultant and former global security manager at Kraft Foods said security pros will likely get to work on patching Exchange server and deploying the zero-day DNS server updates. Flaws in Internet Explorer and Excel also could "pose issues from a deployment standpoint," and be a sizeable push to the desktop, Linke said.

"Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server," he said. "The DNS noise level calmed down quite a bit over last seven to ten days, so we didn't expect the update to come out of cycle."

Microsoft DNS zero-day: Microsoft to release DNS patch Tuesday: In addition to a fix for the DNS Server Service flaw, Microsoft plans to patch critical flaws in Windows, Office, Exchange, CAPICOM and BizTalk. DNS worm strikes at Microsoft flaw: A new worm called Rinbot.BC exploits the Microsoft DNS flaw by installing an IRC bot on infected machines and scanning for other vulnerable servers. Microsoft investigates DNS server flaw: Attackers could exploit a DNS flaw in Microsoft Windows 2000 Server and Windows Server 2003 and run malicious code on the system. A workaround is suggested until a patch is issued.

A remote code execution vulnerability in Microsoft Exchange affects Multipurpose Internet Mail Extensions. In an advisory issued to customers, Symantec called the vulnerability one of the more critical issues of the month.

"A successful attack could completely compromise the computer hosting the vulnerable Exchange server and has the potential for impacting a large audience," Symantec said.

Microsoft also issued patches plugging four critical vulnerabilities in Internet Explorer that could be exploited by an attacker when a user visits a malicious Web site. The flaws are in IE 6 and 7 and include a Property Type Memory Corruption Vulnerability and HTML Objects Memory Corruption.

"As we reported in the recent Internet Security Threat Report, attackers are continuing to leverage browser and application vulnerabilities and social engineering tactics to gain access to computers in order to execute malicious code," Oliver Friedrichs, director, emerging technologies, Symantec Security Response said in a statement.

Critical Vulnerabilities in Microsoft Word, which included an RTF parsing, a document stream and an array overflow flaw were plugged. Microsoft Word versions 6.0 and earlier were affected. A record vulnerability and set font flaw in Microsoft Excel was also patched. The flaws in both Word and Excel could be exploited by an attacker to gain control of a computer.

"Since the Microsoft Office vulnerability is entrusted in Web applications, like Internet Explorer, these patches are critical and should also be prioritized and deployed quickly," said Paul Zimski, senior director of market and product strategy for Scottsdale, Az.-based PatchLink.

Microsoft also released a non-security, high-priority update for Windows on Windows Update (WU) and Software Update Services (SUS) and non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

For more information, Microsoft held a Webcast about the latest update.

Tags: Securing Productivity Applications,  Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications FTC probes P2P corporate data leaks Secure software development is difficult, but tools, techniques improving, expert says Adobe issues emergency update, repairs critical Reader flaw Adobe addresses critical Flash flaw, plans Reader security update Adobe issues patch fixing month-long PDF zero-day vulnerability Another PDF attack targets Adobe zero-day vulnerability Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Windows Security: Alerts, Updates and Best Practices Microsoft repairs Excel flaws, warns of new IE vulnerability Microsoft to address eight security vulnerabilities in Windows, Office Microsoft patching issue tied to Alureon rootkit Windows blue screen may be result of rootkit infection Microsoft blue screen affecting few corporate PCs Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Security Patch Management Microsoft to address eight security vulnerabilities in Windows, Office Customer gets say during responsible vulnerability disclosure panel Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary