Microsoft patches Windows Vista, IE 7

By Bill Brenner, Senior News Writer 12 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released six security bulletins to fix 15 flaws across its product line Tuesday, including Windows XP, Vista and Internet Explorer 7. Attackers could exploit the most serious flaws remotely to run malicious code on victims' machines.

Patch management experts said IT administrators should put top priority on deploying the patches for Internet Explorer and Windows, particularly those included in MS07-031, 032 and 033.

Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based PatchLink Corp., said he's most concerned about the Internet Explorer flaws outlined in MS07-033.

"Internet Explorer is the most widely used application out there and there's a lot of exploit potential in these flaws," he said.

Microsoft updates: Microsoft offers details on MOICE advisory, Outlook flaws: Microsoft's Christopher Budd outlines the finer points behind this month's security bulletins and gives an update on the new bulletin layout.

Leatham noted that some flaws affect the latest version, Internet Explorer 7, and show that Microsoft continues to struggle to "get its IE code under control."

Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said he considers the worst flaws to be those in MS07-031 and 032.

"With the MS07-031 issue, if someone visits an evil site with SSL, that secure connection can actually be used to hijack the box," he said. "Windows XP users are in the most danger here. With MS07-032, we're looking at a Vista flaw Microsoft calls moderate. But they may be going fast and loose in explaining the seriousness of it."

He said the Vista flaw could be especially problematic for IT shops that have upgraded from XP to Vista, and that if a Vista box is compromised, the hacker could obtain the user name and password.

Here is a summary of all the June 2007 Microsoft security updates, in chronological order:

MS07-030 is an "important" update fixing a remote code execution flaw that appears when users open a specially crafted Visio file.

MS07-031 is a "critical" update fixing a flaw in the Secure Channel (Schannel) program in Windows. Microsoft noted that the Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols and that attackers could exploit the flaw for remote code execution if a user views a specially crafted Web page or application that uses SSL/TLS.

"Attempts to exploit this vulnerability would most likely result in the Web browser or application exiting," Microsoft said. "The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system." The glitch affects Windows 2000, XP and Windows Server 2003.

MS07-032 is a "moderate" bulletin fixing a flaw attackers could exploit in Windows Vista to access local user data, including administrative passwords contained within the registry and local file system.

MS07-033 is a "critical" update fixing five privately reported vulnerabilities and one publicly disclosed vulnerability. Attackers could exploit all but one to remotely run malicious code on targeted machines if the user views a specially crafted Web page using Internet Explorer. The flaw affects Internet Explorer 5.01 and 6, as well as most supported releases of Internet Explorer 7.

MS07-034 is a "critical" update fixing two privately reported and two publicly disclosed vulnerabilities. Attackers could exploit one flaw to run malicious code on targeted machines if the user views a specially crafted email using the Windows Mail program in Windows Vista. Attackers could exploit the other flaws to access sensitive information if the user visits a specially crafted Web page using Internet Explorer.

MS07-035 is a "critical" update fixing a Win32 API flaw. Attackers could run malicious code on targeted machines and get extra user privileges if the affected API is used locally by a specially crafted application. "Therefore, applications that use this component of the Win32 API could be used as a vector for this vulnerability," Microsoft said. "For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages." Microsoft said the problem affects all supported versions of Windows 2000, XP, and Windows Server 2003.

Santa Clara, Calif.-based McAfee Inc. said in a statement that the majority of flaws addressed this month could be exploited through malicious Web sites.

"Today's Microsoft patches underline the risk of surfing the Web unprotected," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in the statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cyber criminals."

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Windows Security: Alerts, Updates and Best Practices New attack code targets Microsoft ActiveX zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary