Microsoft July updates for critical Excel, Windows and .NET flaws

By Bill Brenner, Senior News Writer 10 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The software giant fixed three .NET flaws with the release of MS07-040, two of which allow attackers to launch malicious code remotely against client machines utilizing Microsoft's platform for building and running specialized applications. The company added that attackers could exploit the third flaw to access sensitive information on Web servers running ASP.NET.

Don Leatham, director of business development at Scottsdale, Ariz.-based PatchLink Corp., said IT administrators should deploy this fix with the highest urgency, given the pervasiveness of .NET.

"This seems to affect all versions of .NET, except the most recent (version 3.0)," he said. "If the user visits a Web site that runs Active Scripting code, which is very common in the Windows world, such a script could take advantage of this flaw."

While many experts are expressing similar views, the issues addressed in MS07-039 are of greater concern to Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn. Microsoft said that update fixes a flaw attackers could exploit in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 to launch malicious code remotely or cause a denial of service.

More on Patch Tuesday Microsoft's May update plugs 19 holes Microsoft plans changes to Patch Tuesday Learn how to verify the validity of a Microsoft patch

"The most serious patches depends on what's most important to you," Schultze said. "If you have a lot of clueless users who browse potentially malicious Web sites, the .NET update is critical. But if you believe the domain controller is most important, and I do, then MS07-039 is the most critical."

He said IT shops will always be dealing with clueless users, but when it comes to protecting the crown jewels, the domain controller, which is a key user authentication server in most organizations, is his greatest concern. "According to this bulletin, you can own my domain controller just by looking at it," he said. "I would patch this first."

The third critical bulletin released this month is MS07-036. Microsoft said it addresses a variety of flaws in its Excel application.

"These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file," Microsoft warned. "Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

Microsoft rated two of the six bulletins as important. One is MS07-037, which fixes a flaw attackers could exploit to remotely launch malicious code if a user views a specially crafted Microsoft Office Publisher file. The other is MS07-041, which fixes another remote-execution flaw attackers could exploit by sending specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2.

"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said. "This is an important security update for all supported 32-bit editions of Windows XP Service Pack 2."

Finally, Microsoft released one bulletin with a moderate rating. MS07-038 fixes a Windows Vista flaw that could allow incoming unsolicited network traffic to access a network interface. "An attacker could potentially gather information about the affected host," Microsoft said.

Tags: Security Patch Management,  Securing Productivity Applications,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Securing Productivity Applications Adobe fixes critical Shockwave Flash Player flaw Adobe issues first quarterly patch release fixing 13 flaws Adobe shifts to Microsoft patching process, incident response plan Balancing security and performance: Protecting layer 7 on the network Software Piracy pandemic needs government role, better vendor antipiracy plans McAfee to acquire Solidcore Systems for whitelisting Adobe issues Reader update fixing zero-day flaw Microsoft to patch critical PowerPoint zero-day flaw PCI DSS: Best practices for compliance Adobe working on patch to correct new zero-day flaw Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary