Microsoft fixes WSUS, releases Windows security updates

By Bill Brenner, Senior News Writer 13 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

But perhaps more significant than the updates themselves, Microsoft also fixed a glitch in Windows Server Update Services (WSUS) that had threatened chaos for IT shops, many of which rely on the tool to deploy the software giant's monthly patches.

Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys Inc., said IT administrators should move quickly on MS07-061, a critical update that fixes a remote code execution flaw in how the Windows shell handles specially crafted URIs that are passed to it.

If the Windows shell doesn't sufficiently validate these URIs, Microsoft said, it could enable an attacker to run malware on targeted machines. Microsoft said the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.

"This is a zero-day flaw attackers have already used to post malicious URLs on bulletin boards, in documents and in emails," Sarwate said. "Instead of the intended action, the machine gets infected and the attacker can take complete control of the system."

Eric Schultze, CTO of Shavlik Technologies LLC in Roseville, Minn., agreed, saying, "This is one of the more dangerous items we've seen in the last six months, and that's why IT administrators need to be quick with this one."

Microsoft also released MS07-062, an important update that fixes a spoofing flaw in Windows DNS servers attackers could exploit to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. The security update applies to all supported versions of Microsoft Windows 2000 Server and Windows Server 2003.

While it's only rated as important, Sarwate said IT administrators who manage DNS servers should treat it as if it were critical. "This is remotely exploitable and an attacker can target you anywhere in the world with this," he said. "It doesn't require a user to click on malicious links."

WSUS fixed
While this is one of the lightest patch release months Microsoft has had in some time, IT administrators will also be relieved to know the software giant has fixed a WSUS glitch that could have wreaked havoc with this week's patching efforts.

Sunday evening, Microsoft renamed a product category entry for its Forefront line of business security products to clarify the scope of future updates. Unfortunately, the company said, the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console.

IT administrators fretted about the glitch on various message boards, but were relieved early Tuesday when Microsoft fixed the problem.

No more MBSA 1.2 support
Schultze said this month's security update also marks the first time Microsoft is not supporting the MSSecure.XML file used by the Microsoft Baseline Security Analyzer (MBSA) version 1.2, which Windows administrators have relied on to scan for newly released patches.

Shavlik is using this month's Patch Tuesday to alert customers that it is offering a drop-in command-line replacement to MBSA 1.2, which will enable customers to continue scanning for security patches without requiring any changes to their existing scripts, Schultze said.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe Windows Security: Alerts, Updates and Best Practices Microsoft to address 12 vulnerabilities, IE display zero-day Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary