|
A Potpourri of Fixes Marks A Slow Patch Tuesday
Published: July 11, 2007
by Alex Woodie
It was a relatively quiet Patch Tuesday yesterday as Microsoft issued six patches for 11 vulnerabilities affecting products ranging from clients to servers and from the .NET runtime to Excel and the Vista firewall. None of the fixes for the July Patch Tuesday addressed so-called zero-day problems, in stark contrast to the array of zero-day patches Microsoft issued earlier this year. But it's still a good idea to get the patches loaded up quickly.
Heading things off this month is Microsoft Security Bulletin MS07-036, which addresses three separate and critical vulnerabilities in Excel 2000, 2002, 2003, and Excel 2007, and is one of the more important patches issued yesterday.
The security flaws fixed by MS07-036 could allow attackers to take over affected computers after users opened a malformed Excel spreadsheet, either through a Web browser or as an e-mail attachment. Of the three vulnerabilities, only one, the Worksheet Memory Corruption vulnerability, had been publicly disclosed before Microsoft did so yesterday. However, the software giant says it's unaware of any attacks carried out using any of the vulnerabilities.
The next critical patch, Microsoft Security Bulletin MS07-039, fixes a pair of security problems in Active Directory. A malformed LDAP request could allow an attacker to take total control of an affected server (with the Active Directory Remote Code Execution vulnerability) or cause the server to shutdown (with the Active Directory Denial of Service vulnerability). Microsoft says neither of these vulnerabilities, which were discovered by Peter Winter-Smith of NGSSoftware and Neel Mehta of IBM's Internet Security Systems x-Force, are currently being exploited in the wild.
MS07-039 should be a priority for administrators of Windows 2000 servers and Windows Server 2003 servers, says Jonathan Bitle, manager of the technical accounts team at security software firm Qualys. "It's of particular concern because it takes advantage of open ports on Windows servers and doesn't require any client interaction," he says.
Another critical patch issued yesterday is Microsoft Security Bulletin MS07-040, which fixes three vulnerabilities in the .NET Framework versions 1.0, 1.1, and 2.0. The flaws, which are caused by unchecked buffers in various .NET services and improper validation of URLs in the ASP.NET component, carry a risk of remote code execution and unintended information disclosure if a victim were to visit a malformed Web site.
Despite its reputation as a developer tool, the .NET Framework is used in practically every Microsoft operating system, even if it's not installed by default. "A lot of people who might not think they have .NET installed may be surprised to find that they have it," Bitle says. All three of the .NET Framework flaws were privately reported, and none of them are being used in attacks. Microsoft credits representatives with OWASP, Security Assessment, Sumatra, and Portcullis Computer Security with finding the flaws in the .NET Framework.
Microsoft also issued three patches for security problems it deems "important," including Microsoft Security Bulletin MS07-037, which fixes a remote code execution in the Publisher component of the Office 2007 system. This flaw could be exploited by an attacker by convincing a victim to open a Publisher (.pub) page. Security researcher and software developer eEye Digital Security of Southern California was credited with finding the flaw.
The other important patch is Microsoft Security Bulletin MS07-041, which fixes a remote code execution flaw in Internet Information Services (IIS) version 5.1 running on Windows XP Service Pack 2. This flaw, which is caused by an unchecked buffer in the Web server's URL parser, has been known about since 2005. Despite the potential for remote code execution, this flaw garnered only an important rating because IIS version 5 is not part of the default Windows XP SP2 package. Microsoft credits Jonathan Afek and Adi Sharabani of Watchfire with finding this flaw.
The final fix is Microsoft Security Bulletin MS07-038, which patches a problem in the Windows Vista firewall that could allow information to seep out of a computer unexpectedly. A problem in the Taredo interface causes some firewall rules to be bypassed, and could allow an attacker to gain access to the computer and its contents by tricking a user into clicking on a URL link in a browser, e-mail, or IM message. Microsoft credits Jim Hoagland and Ollie Whitehouse of Symantec with finding the problem.
Compared to earlier this year, July's Patch Tuesday was light fare, Bitle says. That's both good news, and bad news.
"I do imagine in the future we'll see more critical vulnerabilities than this," he says. "The trend that we're seeing is more individuals are more interested in exploitation for monetary gain rather than exploitation for fame. People would rather take advantage of a system and use it for a botnet, for spam or for computing power. They'd rather have that as a source of income rather than the fame."
As we saw several weeks ago, when hackers using the MPack toolkit compromised at least 10,000 Web sites in a matter of hours, hackers and computerized criminals are becoming more sophisticated. And even if the number of publicized flaws is going down, don't be lulled into a sense of complacency thinking all the world's computer security problems have been fixed. Because it's a case of what you don't know can hurt you.
"They're out there," Bitle says of the unseen hackers. "Typically, if they're doing their job well, you don't know they exist."
RELATED STORIES
Is Windows Vista Really More Secure Than Linux or OS X?
MPack Hacker Tool Claims 10,000 Compromised Web Sites
Microsoft Patches 17 Flaws in Client Products
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
