Microsoft released six security bulletins to fix 15 flaws across its product line Tuesday, including Windows XP, Vista and Internet Explorer 7. Attackers could exploit the most serious flaws remotely to run malicious code on victims' machines.
Patch management experts said IT administrators should put top priority on deploying the patches for Internet Explorer and Windows, particularly those included in MS07-031, 032 and 033.
Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based PatchLink Corp., said he's most concerned about the Internet Explorer flaws outlined in MS07-033.
"Internet Explorer is the most widely used application out there and there's a lot of exploit potential in these flaws," he said.
Leatham noted that some flaws affect the latest version, Internet Explorer 7, and show that Microsoft continues to struggle to "get its IE code under control."
"With the MS07-031 issue, if someone visits an evil site with SSL, that secure connection can actually be used to hijack the box," he said. "Windows XP users are in the most danger here. With MS07-032, we're looking at a Vista flaw Microsoft calls moderate. But they may be going fast and loose in explaining the seriousness of it."
He said the Vista flaw could be especially problematic for IT shops that have upgraded from XP to Vista, and that if a Vista box is compromised, the hacker could obtain the user name and password.
Here is a summary of all the June 2007 Microsoft security updates, in chronological order:
MS07-030 is an "important" update fixing a remote code execution flaw that appears when users open a specially crafted Visio file.
MS07-031 is a "critical" update fixing a flaw in the Secure Channel (Schannel) program in Windows. Microsoft noted that the Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols and that attackers could exploit the flaw for remote code execution if a user views a specially crafted Web page or application that uses SSL/TLS.
"Attempts to exploit this vulnerability would most likely result in the Web browser or application exiting," Microsoft said. "The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system." The glitch affects Windows 2000, XP and Windows Server 2003.
MS07-032 is a "moderate" bulletin fixing a flaw attackers could exploit in Windows Vista to access local user data, including administrative passwords contained within the registry and local file system.
MS07-033 is a "critical" update fixing five privately reported vulnerabilities and one publicly disclosed vulnerability. Attackers could exploit all but one to remotely run malicious code on targeted machines if the user views a specially crafted Web page using Internet Explorer. The flaw affects Internet Explorer 5.01 and 6, as well as most supported releases of Internet Explorer 7.
MS07-034 is a "critical" update fixing two privately reported and two publicly disclosed vulnerabilities. Attackers could exploit one flaw to run malicious code on targeted machines if the user views a specially crafted email using the Windows Mail program in Windows Vista. Attackers could exploit the other flaws to access sensitive information if the user visits a specially crafted Web page using Internet Explorer.
MS07-035 is a "critical" update fixing a Win32 API flaw. Attackers could run malicious code on targeted machines and get extra user privileges if the affected API is used locally by a specially crafted application. "Therefore, applications that use this component of the Win32 API could be used as a vector for this vulnerability," Microsoft said. "For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages." Microsoft said the problem affects all supported versions of Windows 2000, XP, and Windows Server 2003.
Santa Clara, Calif.-based McAfee Inc. said in a statement that the majority of flaws addressed this month could be exploited through malicious Web sites.
"Today's Microsoft patches underline the risk of surfing the Web unprotected," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in the statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cyber criminals."