Microsoft July updates for critical Excel, Windows and .NET flaws

By Bill Brenner, Senior News Writer 10 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The software giant fixed three .NET flaws with the release of MS07-040, two of which allow attackers to launch malicious code remotely against client machines utilizing Microsoft's platform for building and running specialized applications. The company added that attackers could exploit the third flaw to access sensitive information on Web servers running ASP.NET.

Don Leatham, director of business development at Scottsdale, Ariz.-based PatchLink Corp., said IT administrators should deploy this fix with the highest urgency, given the pervasiveness of .NET.

"This seems to affect all versions of .NET, except the most recent (version 3.0)," he said. "If the user visits a Web site that runs Active Scripting code, which is very common in the Windows world, such a script could take advantage of this flaw."

While many experts are expressing similar views, the issues addressed in MS07-039 are of greater concern to Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn. Microsoft said that update fixes a flaw attackers could exploit in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 to launch malicious code remotely or cause a denial of service.

More on Patch Tuesday Microsoft's May update plugs 19 holes Microsoft plans changes to Patch Tuesday Learn how to verify the validity of a Microsoft patch

"The most serious patches depends on what's most important to you," Schultze said. "If you have a lot of clueless users who browse potentially malicious Web sites, the .NET update is critical. But if you believe the domain controller is most important, and I do, then MS07-039 is the most critical."

He said IT shops will always be dealing with clueless users, but when it comes to protecting the crown jewels, the domain controller, which is a key user authentication server in most organizations, is his greatest concern. "According to this bulletin, you can own my domain controller just by looking at it," he said. "I would patch this first."

The third critical bulletin released this month is MS07-036. Microsoft said it addresses a variety of flaws in its Excel application.

"These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file," Microsoft warned. "Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

Microsoft rated two of the six bulletins as important. One is MS07-037, which fixes a flaw attackers could exploit to remotely launch malicious code if a user views a specially crafted Microsoft Office Publisher file. The other is MS07-041, which fixes another remote-execution flaw attackers could exploit by sending specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2.

"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said. "This is an important security update for all supported 32-bit editions of Windows XP Service Pack 2."

Finally, Microsoft released one bulletin with a moderate rating. MS07-038 fixes a Windows Vista flaw that could allow incoming unsolicited network traffic to access a network interface. "An attacker could potentially gather information about the affected host," Microsoft said.

Tags: Security Patch Management,  Securing Productivity Applications,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary