Latest Microsoft flaws affect Windows, IE, Excel

By Bill Brenner, Senior News Writer 14 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released nine security updates Tuesday for flaws in Internet Explorer, Excel and other programs within the Windows OS. Attackers could exploit the most serious flaws to hijack targeted machines and launch malicious code, the software giant warned.

Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.

Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.

Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.

"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.

Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.

"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

In addition to MS07-046, the "critical" security updates are:

MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.

MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.

MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.

MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.

MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.

The "important" security updates are:

MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.

MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.

MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary