Microsoft's Patch Tuesday Plugs Holes in Vista, IE

[Sunite]

Microsoft's Patch Tuesday Plugs Holes in Vista, IE
By Jennifer LeClaire
October 10, 2007 8:44AM

   Digg It!   Bookmark to You are not allowed to view links. Register or Login
Amol Sarwate, research manager of the vulnerability research lab at Qualys, said Microsoft security bulletin MS07-057, which describes a critical patch relating to an Internet Explorer issue, should be given top priority among October's set of updates because it addresses two zero-day flaws that open the door to phishing attacks.

Related Topics
   Windows
   Security
   Microsoft
   Vulnerability
   Patch
   Internet Explorer

Latest News
   Notebooks Drive Massive Growth at HP
   AT&T Buys Pay-Per-Call Search Firm
   Can Salesforce Become a Platform?
   SAP Cuts Ties with Execs at Subsidiary
   Vodafone Balks at T-Mobile iPhone Deal
Advertisement
click here

Advertisement

   Microsoft Relevant Products/Services released six security Relevant Products/Services updates on Tuesday. Half the lot plugs holes in Windows Vista, while the remaining set fixes vulnerabilities in Internet Explorer and other Microsoft software.

One critical update addresses a vulnerability in Kodak image viewer. Another, which fixes a vulnerability in Outlook Express and Windows Mail, is rated critical for earlier versions of Windows and important for Vista. Meanwhile, security bulletin MS07-060 addresses a vulnerability in Microsoft Word that's rated critical for earlier versions and important for more recent versions.

Moving on to the browser, MS07-057 is a critical-rated cumulative update for Internet Explorer. Two final patches fix important vulnerabilities in Windows SharePoint Services 3.0, Office SharePoint Server 2007, and in remote procedure call (RPC) authentication.

"Today's Microsoft patches emphasize the need for proactive browser protection and the risk of surfing the Web unprotected," said Dave Marcus, security research and communications manager at McAfee Avert Labs.

"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply clicks a malicious Web link, a favorite attack method among cybercriminals," he said. "Users need to be more careful than ever when surfing the Internet."

Top Priority Updates

Amol Sarwate, research manager of the vulnerability research lab at Qualys, offered a similar take. He said MS07-057, which describes a critical patch relating to an Internet Explorer issue, should be given top priority because it addresses two zero-day flaws.

Attackers could use a spoofing issue the patch addresses to launch phishing Relevant Products/Services attacks against unsuspecting users. The vulnerability opens the door to let attackers write malicious code that leads a victim to a Web site that looks legit, including even the address bar's URL.

In addition to drawing attention to MS07-067, Sarwate pointed to another serious issue: MS07-058. This bulletin describes an update that allows attackers to send special RPC packets to a Windows machine. Those packets can cause the machine to shut down or restart.

"This is unique from the other vulnerabilities the release addresses, as the victim does not have to do anything other than turn on their machine and connect to the Internet in order for this to be exploited," he explained.

Microsoft Word Flaw

One of the other four critical patches is MS07-060, which addresses previously reported "in-the-wild" Microsoft Word vulnerabilities that allow an attacker to send an infected Word document as an attachment or as a downloadable file from a Web site. When opened, the attacker can take over the machine and command it to download spyware, viruses, and Trojans, and conduct other malicious activities.

"This is the same effect caused if MS07-055, the patch for the Kodak image viewer, is not applied and the host machine is exploited," Sarwate said. "As a default image viewing program that comes preinstalled on all Windows machines, users who open infected image files with the Kodak image viewer can be compromised."

Microsoft initially planned to release seven security bulletins, but decided to remove one of the updates from the release schedule due to a quality-control issue, according to Tami Gallupe, the Microsoft Security Response Center (MSRC) release manager.