Microsoft Patches Critical Windows Flaw

[Sunite]

Microsoft Patches Critical Windows Flaw
By Jennifer LeClaire
November 14, 2007 8:31AM

   Digg It!   Bookmark to You are not allowed to view links. Register or Login
One of the updates Microsoft released on Patch Tuesday is a DNS fix that got pulled from October's set of updates. The vulnerability that this patch is designed to fix is well understood in the security community and has been fixed already in many DNS servers, according to Andrew Storms, director of Security Operations for nCircle.

Related Topics
   Security
   Windows
   Patch
   Microsoft
   Vulnerability

Latest News
   IBM Updates Blade Management Tools
   AMD Intros Quad-Core Spider Platform
   Google Mulls Bid for Wireless Spectrum
   Amazon Unveils Kindle E-Book Reader
   Dell Launches Iconic All-in-One PC
Advertisement

Advertisement

   Microsoft Relevant Products/Services released two security Relevant Products/Services updates on Tuesday to patch two vulnerabilities, one rated "critical" and the other "important." The small number of November updates contrasts with the series of Patch Tuesday summer releases that numbered as high as 17 vulnerabilities.

The critical vulnerability addressed on Tuesday could be exploited through malicious Web sites, while the important-rated vulnerability could make way for hackers to redirect Internet traffic from legitimate sites to fake ones.

These patches again emphasize the need for proactive browser protection and the risk of surfing the Web unprotected, according to Dave Marcus, research and communication manager at McAfee Avert Labs. "The critical Windows URI handling vulnerability is already being exploited," he said. "A Windows XP or Windows Server 2003 user with Internet Explorer 7 installed can become a victim by simply clicking a malicious Web link."

The Critical Patch

Security bulletin MS07-061 describes the critical Uniform Resource Identifier (URI) flaw, which only affects IE7. URIs are used to identify Web-based content such as text, video, image, or programs. Microsoft is releasing the fix for all versions of Windows. That's because the bug exists in Windows but, so far, can only be exploited in IE7.

Amol Sarwate, manager of the vulnerability research lab at Qualys, noted that this client-side vulnerability was first identified last month as a zero-day vulnerability that has already been widely exploited, most notably on a collection of Web sites registered in Russia.

This vulnerability affects everyday users of common applications, Sarwate said. "Users can be compromised by clicking on a URL link that attackers have created and made available via various sources like bulletin boards or in e-mails," he explained. "When users click through to visit the site, the attacker-supplied code executes and allows the attacker to take complete control of the system."

Sarwate said that, given that URI translation can be done at the operating system layer or the application level, it's notable that other vendors, including Adobe and Mozilla, released patches in the past weeks to address this issue.

The Important Patch

The second patch, described in security bulletin MS07-062, is a DNS fix that got pulled from October's Patch Tuesday. The vulnerability that this patch is designed to fix is well understood in the security community and has been fixed in many DNS servers, according to Andrew Storms, director of Security Operations for nCircle. Given the implications and potential for exploit, Qualys' Sarwate recommended that DNS administrators treat MS07-062 as critical.

"This is a real man-in-the-middle attack; no firewall or network based tools protect against it, and the fact that it has not been previously patched perpetuates the perception that Microsoft is behind in security," Storms said. "The difference in responsiveness on these two issues typifies Microsoft's track record on security. They have moments of stellar service combined with moments of inattention."

Missing from this month's updates is a Macrovision fix. The bulletin is out and Macrovision has released its code, Storms said, so the patch must be undergoing Microsoft's testing process. He said he expects to see the Macrovision fix in next month's security bulletins.

Despite what appears to be a relatively small Patch Tuesday, the security researchers agreed that the impact to unpatched systems is significant for end users and server administrators.