RSS Feed for This Post

Microsoft Issues a Dozen Security Patches, Fixes Security Tools

Category Soft | Permalink | 14. February 2007

« Improved Cardiovascular Risk Predictor Developed for Women | Google suffers setback in copyright case »


rfid news

It’s that time again–time to get your patches on, and to do so quickly. Microsoft yesterday hosted the biggest Patch Tuesday event of the young year when it posted 12 security fixes for 20 security flaws in its products. Seven of the patches addressed zero-day flaws that have been used to launch attacks across the Internet in recent weeks, and there was even a patch fixing Microsoft’s security tools, which could have automatically triggered the exploit with no interaction from the user.

 

We’ll start with the six critical patches. Microsoft Security Bulletin MS07-008 fixes the critical HTML Help ActiveX Control vulnerability that could enable a hacker to take total control over a computer running Windows 2000 Service Pack 4 (SP4), all 32-bit and 64-bit versions of Windows XP and XP SP2, and all versions of Windows Server 2003. Microsoft says this was a newly disclosed, privately reported vulnerability, and that it’s not aware of any current Web attacks exploiting the flaw, which Microsoft credits Breakingpoint Systems with helping to track down.

Microsoft Security Bulletin MS07-009 fixes the critical and previously disclosed Windows MDAC ActiveX Vulnerability. This is a potentially nasty remote-execution vulnerability that affects select products, including Windows 2000 SP4, Windows XP SP2, Windows Server 2003, and the Itanium version of Windows Server 2003 (but not Windows Server 2003 SP1 or any of the X64 versions of Windows). The French Security Incident Response Team first spotted the flaw, Microsoft says.

The software giant surprised everybody with Microsoft Security Bulletin MS07-010, which fixes security problems in a slew of its security offerings, including Windows Live OneCare, Antigen for Exchange and Antigen for SMTP Gateway, various Windows Defender releases, and Forefront Security for Exchange Server and SharePoint. Microsoft says the problem has to do with the way these products pass PDF documents. The flaw was privately reported to Microsoft by IBM’s ISS-X-Force security group.

You could say that Big Blue’s X-men helped Microsoft dodge a serious bullet with MS07-010. According to security software developer Qualys, this vulnerability was potentially disastrous for Microsoft. “As scanning engines, these applications could automatically activate the exploit with no user interaction required,” says Amol Sarwate, manager of the vulnerability research lab at Qualys. Also, because these scanning engines work with Windows Vista, they could be used to exploit Vista machines, even though Microsoft has not yet issued any patches for the young operating system.

Microsoft Security Bulletin MS07-014 is a biggie. This megapatch fixes six vulnerabilities in all recent versions of Office Word (except for Office 2007), including Office for Mac. Four of the problems fixed with this patch are zero-day flaws currently being exploited across the Internet. Microsoft credited several groups with helping to find and fix the problems, including Information and Communication Security Technology Center, the United Services Automobile Association, and AV-Test.

Microsoft Security Bulletin MS07-015 tackles a pair of related security flaws freshly discovered in recent versions of Excel and PowerPoint (except for Office 2007 and the versions included in Microsoft Works). While only one of these flaws (the Excel Malformed Record Vulnerability) is currently being exploited, both flaws could be exploited by a hacker to take complete control of an affected system. Microsoft credits VigiliantMinds with helping to spot the PowerPoint problems.

The final critical patch, Microsoft Security Bulletin MS07-016, is a cumulative update for Internet Explorer versions 5, 6, and 7, running on all recent versions of Windows, except Windows Vista. The patch fixes three new problems related to running ActiveX controls and using FTP, and carry the risk of remote code execution. One of the problems had been publicly described, but none of them had been used to launch attacks on the Web, Microsoft says. The company credited iDefense and Breakingpoint Systems with reporting the problems.

Microsoft also issued six patches it deemed important (just not as important as the critical patches fixing the most serious flaws, discussed above). Microsoft Security Bulletin MS07-005 fixes the Interactive Training Vulnerability, a newly discovered problem that poses a remote code execution for Windows 2000 SP4 and all 32-bit and 64-bit versions of Windows XP (including SP2) and Windows Server 2003 (including SP1). Security-Assessment.com, a security company based in Australia and New Zealand, reported the flaw to Microsoft, the software giant said.

Microsoft Security Bulletin MS07-006 addresses an elevation of privilege vulnerability that exists in Windows XP and Windows Server 2003 (but not in Windows 2000 SP4 or Windows Vista). This flaw, which Microsoft gave an “important” rating, had not been publicly disclosed before yesterday.

Microsoft Security Bulletin MS07-007 fixes an important elevation of privilege vulnerability affecting only Windows XP SP2. Microsoft says an unchecked buffer in the Windows Image Acquisition service could enable an attacker to gain complete control of an affected system, as long as he was already logged on. This vulnerability was privately reported and hasn’t been exploited in the wild, Microsoft says.

The final three patches are closely related, and were discovered by the same group of people.

Microsoft Security Bulletin MS07-011 fixes a memory corruption condition in the OLE Dialog component of all recent versions of Windows (sans Vista). This flaw (like the flaws discussed below) could be used by an attacker to take over a computer if he tricked a user into opening a malformed RTF file. However, the flaw only rates as important on Microsoft’s scale because it would be difficult for a criminal to execute an attack over the Web, according to the company.

Microsoft Security Bulletin MS07-012 fixes the MFC Memory Corruption Vulnerability, another remote code execution flaw that afflicts all recent versions of Windows (except Vista, of course) and some Visual Studio releases.

Microsoft Security Bulletin MS07-0013 fixes the Microsoft RichEdit flaw in all versions of Windows (except Vista) and all recent versions of Office (except Office 2007 and the Excel and PowerPoint viewers in Office 2003 SP2).

Microsoft credited the security software company Immunity and the European Aeronautics Defense and Space Company (EADS) with finding the problems addressed by MS07-011, MS07-012, and MS07-013. The company says none of these flaws has been exploited yet.

For more information on yesterday’s Patch Tuesday or to sign up for today’s security Webcast, go to the Microsoft TechNet Security Center.

Read More :

http://www.itjungle.com/two/two021407-story02.html

469 Read

Related Posts



Trackback URL

Sociable

TAG

Share Enjoy:
, , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Share and Enjoy: Digg del.icio.us Netvouz DZone ThisNext MisterWong Wists blinkbits BlinkList blogmarks BlogMemes Bumpzee co.mments connotea Furl Ma.gnolia MisterWong.de Reddit Scoopeo Slashdot SphereIt Spurl StumbleUpon YahooMyWeb BlogMemes Cn BlogMemes Fr BlogMemes Jp BlogMemes Sp blogtercimlap Blue Dot Book.mark.hu De.lirio.us DotNetKicks Fark feedmelinks Fleck Gwar Haohao Hemidemi IndiaGram IndianPad Internetmedia kick.ie LinkaGoGo Linkter MyShare Netscape NewsVine PlugIM PopCurrent ppnow RawSugar Rec6 scuttle Shadows Simpy Smarking Taggly TailRank Technorati Webride Wykop