|
Vista's Security Honeymoon Is Over
Published: April 11, 2007
by Alex Woodie
After skipping the month of March and issuing an emergency out-of-band patch last week to address a spreading security threat that affected Windows Vista, things returned to normal yesterday when Microsoft issued six security fixes as part of its regular Patch Tuesday cycle. However, the news was not good for Windows Vista, which received another patch for a zero-day remote execution vulnerability--the second such patch in as many weeks, and a strong indication that Vista's security honeymoon is over.
Leading off this month's round of patches is Microsoft Security Bulletin MS07-017. This is the patch that Microsoft issued April 3 to fix the .ANI, or Animated Cursor, flaw--which is being used by criminals in several countries to hijack people's computers when they open a malformed e-mail or visit a maliciously created Web site--in addition to six other less critical vulnerabilities. Special care should be given to applying this patch, as well as the earlier MS07-008 patch, which cause DLL errors on some Windows XP machines; see KB935448 for the fix for the fix.
The most critical of the patches issued yesterday is Microsoft Security Bulletin MS07-021. This patch fixes a trio of problems in the Windows Client/Server Run-time Subsystem for all current versions of Windows--including Windows Vista--that could let computer terrorists launch code execution, denial of service attacks, and elevation of privilege attacks when victims visit malformed Web sites.
The patch fixes a critical remote code execution vulnerability known as the Vista Memory Corruption Zero-Day flaw, which has been known about since mid-December and is currently being actively exploited on the Web, according to SANS Internet Storm Center. Microsoft credits Tim Garnett of Determina Security Research with finding this flaw, whereas security researcher and software developer eEye Digital Security is credited with finding the elevation of privilege flaw.
The Vista Memory Corruption zero-day flaw is just the start of Windows Vista's security problems, says Amol Sarwate, manager of vulnerability research at Qualys. "While Microsoft fixed the .ANI vulnerability last week, a new Vista vulnerability has emerged and was addressed today, leading experts to believe that this is the beginning of the weaknesses that we will see this year with Vista and that Microsoft's reuse of code from previous versions of Windows can weaken Microsoft's new Security Development Lifecycle (SDL)," he says.
The second most critical patch issued yesterday, Sarwate says, is Microsoft Security Bulletin MS07-019, which fixes a critical memory corruption vulnerability in Windows XP's Plug and Play service that could let an attacker execute code on an affected machine. Microsoft gives credit to Greg MacManus of iDefense Labs for finding this flaw, which Microsoft says is not being currently exploited (but don't count on that for long).
The third most critical patch is Microsoft Security Bulletin MS07-018, which fixes a pair of critical memory corruption and cross-site scripting and spoofing flaws in Microsoft Content Management Server 2001 Service Pack 1 (SP1) and SP2 that could enable an attacker to take complete control of an effected machine. Microsoft says it's not aware of any active exploits taking advantage of this flaw, which was discovered by NetCraft's Martyn Tovey. Content Management Server 2001 is nearing the end of life, and its capabilities are being incorporated into SharePoint Server 2007, which isn't affected by the flaw.
Another critical remote code execution flaw is fixed with Microsoft Security Bulletin MS07-020. This patch fixes a memory corruption problem in Microsoft Agent, a Windows component that uses "interactive animated characters to guide users and . . . make using and learning to use a computer easier," Microsoft says. (In light of the .ANI flaw and now this one, maybe it's time to rethink the use of animated characters in secure operating systems?) This flaw afflicts all current version of Windows except for Vista, but is not being actively exploited, says Microsoft, which gives J.J. Reyes and Carsten Eiram of security research firm Secunia credit for catching this bug.
eEye of Aliso Viejo, California, is also credited with finding the elevation of privilege vulnerability that was fixed with Microsoft Security Bulletin MS07-022, which Microsoft has given an "important" rating. This flaw affects Windows 2000 and Windows XP, but is not being actively exploited.
When you get your patch through MU, WU, or AU (Microsoft Update, Windows Update, or Automatic Update, for the uninitiated), you'll also find a new release of the Malicious Software Removal Tool. To sign up for the Web cast that Microsoft is hosting today at 11 a.m. PT regarding yesterday's patches, go to www.microsoft.com/technet/security/default.mspx.
RELATED STORIES
Microsoft Patches Animated Cursor Flaw in Windows
Microsoft Skips Patch Tuesday for March
Symantec Gives Vista Security a So-So Grade
Windows Vista: It's All About the Security
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
