Microsoft patches Windows Vista, IE 7

By Bill Brenner, Senior News Writer 12 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released six security bulletins to fix 15 flaws across its product line Tuesday, including Windows XP, Vista and Internet Explorer 7. Attackers could exploit the most serious flaws remotely to run malicious code on victims' machines.

Patch management experts said IT administrators should put top priority on deploying the patches for Internet Explorer and Windows, particularly those included in MS07-031, 032 and 033.

Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based PatchLink Corp., said he's most concerned about the Internet Explorer flaws outlined in MS07-033.

"Internet Explorer is the most widely used application out there and there's a lot of exploit potential in these flaws," he said.

Microsoft updates: Microsoft offers details on MOICE advisory, Outlook flaws: Microsoft's Christopher Budd outlines the finer points behind this month's security bulletins and gives an update on the new bulletin layout.

Leatham noted that some flaws affect the latest version, Internet Explorer 7, and show that Microsoft continues to struggle to "get its IE code under control."

Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said he considers the worst flaws to be those in MS07-031 and 032.

"With the MS07-031 issue, if someone visits an evil site with SSL, that secure connection can actually be used to hijack the box," he said. "Windows XP users are in the most danger here. With MS07-032, we're looking at a Vista flaw Microsoft calls moderate. But they may be going fast and loose in explaining the seriousness of it."

He said the Vista flaw could be especially problematic for IT shops that have upgraded from XP to Vista, and that if a Vista box is compromised, the hacker could obtain the user name and password.

Here is a summary of all the June 2007 Microsoft security updates, in chronological order:

MS07-030 is an "important" update fixing a remote code execution flaw that appears when users open a specially crafted Visio file.

MS07-031 is a "critical" update fixing a flaw in the Secure Channel (Schannel) program in Windows. Microsoft noted that the Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols and that attackers could exploit the flaw for remote code execution if a user views a specially crafted Web page or application that uses SSL/TLS.

"Attempts to exploit this vulnerability would most likely result in the Web browser or application exiting," Microsoft said. "The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system." The glitch affects Windows 2000, XP and Windows Server 2003.

MS07-032 is a "moderate" bulletin fixing a flaw attackers could exploit in Windows Vista to access local user data, including administrative passwords contained within the registry and local file system.

MS07-033 is a "critical" update fixing five privately reported vulnerabilities and one publicly disclosed vulnerability. Attackers could exploit all but one to remotely run malicious code on targeted machines if the user views a specially crafted Web page using Internet Explorer. The flaw affects Internet Explorer 5.01 and 6, as well as most supported releases of Internet Explorer 7.

MS07-034 is a "critical" update fixing two privately reported and two publicly disclosed vulnerabilities. Attackers could exploit one flaw to run malicious code on targeted machines if the user views a specially crafted email using the Windows Mail program in Windows Vista. Attackers could exploit the other flaws to access sensitive information if the user visits a specially crafted Web page using Internet Explorer.

MS07-035 is a "critical" update fixing a Win32 API flaw. Attackers could run malicious code on targeted machines and get extra user privileges if the affected API is used locally by a specially crafted application. "Therefore, applications that use this component of the Win32 API could be used as a vector for this vulnerability," Microsoft said. "For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages." Microsoft said the problem affects all supported versions of Windows 2000, XP, and Windows Server 2003.

Santa Clara, Calif.-based McAfee Inc. said in a statement that the majority of flaws addressed this month could be exploited through malicious Web sites.

"Today's Microsoft patches underline the risk of surfing the Web unprotected," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in the statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cyber criminals."

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary