News Stay informed about the latest enterprise technology news and product updates.

Microsoft July updates for critical Excel, Windows and .NET flaws

Of the six security updates Microsoft released Tuesday, experts expressed the most concern about a critical glitch in the .NET Framework that could leave client machines and Web servers open to attack.

Microsoft released six security updates Tuesday, three of which address critical flaws in Excel, Windows and the .NET Framework. And it's the .NET issues in particular that have security experts concerned.

The software giant fixed three .NET flaws with the release of MS07-040, two of which allow attackers to launch malicious code remotely against client machines utilizing Microsoft's platform for building and running specialized applications. The company added that attackers could exploit the third flaw to access sensitive information on Web servers running ASP.NET.

Don Leatham, director of business development at Scottsdale, Ariz.-based PatchLink Corp., said IT administrators should deploy this fix with the highest urgency, given the pervasiveness of .NET.

"This seems to affect all versions of .NET, except the most recent (version 3.0)," he said. "If the user visits a Web site that runs Active Scripting code, which is very common in the Windows world, such a script could take advantage of this flaw."

While many experts are expressing similar views, the issues addressed in MS07-039 are of greater concern to Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn. Microsoft said that update fixes a flaw attackers could exploit in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 to launch malicious code remotely or cause a denial of service.

More on Patch Tuesday

Microsoft's May update plugs 19 holes

Microsoft plans changes to Patch Tuesday

Learn how to verify the validity of a Microsoft patch
"The most serious patches depends on what's most important to you," Schultze said. "If you have a lot of clueless users who browse potentially malicious Web sites, the .NET update is critical. But if you believe the domain controller is most important, and I do, then MS07-039 is the most critical."

He said IT shops will always be dealing with clueless users, but when it comes to protecting the crown jewels, the domain controller, which is a key user authentication server in most organizations, is his greatest concern. "According to this bulletin, you can own my domain controller just by looking at it," he said. "I would patch this first."

The third critical bulletin released this month is MS07-036. Microsoft said it addresses a variety of flaws in its Excel application.

"These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file," Microsoft warned. "Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

Microsoft rated two of the six bulletins as important. One is MS07-037, which fixes a flaw attackers could exploit to remotely launch malicious code if a user views a specially crafted Microsoft Office Publisher file. The other is MS07-041, which fixes another remote-execution flaw attackers could exploit by sending specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2.

"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said. "This is an important security update for all supported 32-bit editions of Windows XP Service Pack 2."

Finally, Microsoft released one bulletin with a moderate rating. MS07-038 fixes a Windows Vista flaw that could allow incoming unsolicited network traffic to access a network interface. "An attacker could potentially gather information about the affected host," Microsoft said.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.