two
Volume 4, Number 30 -- August 22, 2007

Patch Tuesday: Nine Security Tweaks for the Windows Stack

Published: August 22, 2007

by Timothy Prickett Morgan

While IT Jungle was away on holiday last week and Alex Woodie, the editor of The Windows Observer, was coping with a few days of grogginess following the birth of his first child, Jonathan, Microsoft was busy putting the finishing touches on its Patch Tuesday security patches for the month of August. This time around, there are six critical patches and three important patches for Windows and related programs.

Here is a rundown on the six critical patches first, and they all plug security holes that would otherwise allow hackers to create malware or viruses that would in turn allow remote execution of code on Windows machines.

Microsoft Security Bulletin MS07-042 plugs a security hole in the XML Core Services that is embedded in Windows 2000, Windows XP, Windows Vista, Office 2004, and Office System 2007. Microsoft Security Bulletin MS07-043 discusses how OLE Automation, a feature of Windows 2000, Windows XP, Office 2004 for Mac, and Visual Basic 6, can be hacked to allow remote code execution. These patches should also be applied to Windows Server 2003, but are less critical in the Microsoft severity ratings. Excel has its own vulnerability, which is plugged with patches explained in Microsoft Security Bulletin MS07-044; this patch is only critical for Office 2000 SP3 and is rated as important for Office XP SP3, Office 2003 SP2, and Office 2004 for the Mac. Microsoft Security Bulletin MS07-045 is a critical patch to Microsoft's Internet Explorer browser that copes with three separate vulnerabilities that allow remote code execution. This set of patches is critical on Windows 2000 SP 4 with IE 5.01 SP4 or IE 6 SP1 and on Windows XP SP2 with IE 6; on Windows Server 2003 with IE 6 this is only a moderate security risk, and on Windows XP SP2 and Windows Vista with IE 7 it is rated as merely important. Microsoft Security Bulletin MS07-046 explains how a flaw in the Graphics Rendering Engine in all Windows releases except Windows Server 2003 SP2 and Windows Vista can allow a hacker crafting images to break into your machine and run code; this flaw has been patched. Finally, the last critical patch comes in Microsoft Security Bulletin MS07-050, which explains how the Vector Markup Language used across the entire Windows line can be exploited if you don't take your Windows Update medicine.

As the security bulletin also explains, three important patches were put out to plug holes in Windows Media Player, Windows Gadgets, and in Virtual PC and Virtual Server. The first two vulnerabilities allow remote execution of code, while the latter allows elevation of user privileges that in turn would allow a user on a guest virtual machine to run code on the host operating system or another guest VM.


RELATED STORIES

A Potpourri of Fixes Marks A Slow Patch Tuesday

Microsoft Patches 17 Flaws in Client Products

Patch Tuesday Yields Seven Critical Patches for 19 Flaws

Microsoft Patches Animated Cursor Flaw in Windows

Microsoft Skips Patch Tuesday for March


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
VIBRANT TECHNOLOGIES

HP, IBM and Sun Server Deals via RSS

                                                  · Subscribe to our Specials via RSS
                                                  · Up to 80% off manufacturer's list price
                                                  · Multi-million dollar inventory

We Buy & Sell new and remarketed servers,
upgrades, peripherals and parts.

HP Proliant, IBM xSeries, IBM pSeries, RS6000,
HP Integrity, Sun Microsystems, Cisco, more…
888-443-8606

View or Subscribe to:
Special Offers on Servers and Upgrades
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

MKS:  Take the risk out of change management across multiple platforms
Wolf Computer Consulting:  Reliable service and affordable rates for business computing needs
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
 
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
i5/OS V6R1: The TIMI, It Is A-Changing

Solaris Coming to the System i?

The System i Gets Price Changes and Withdrawals

As I See It: Of Toads and Time

The Linux Beacon
Intel Cranks Out Two More Quads, AMD Sets Barcelona Date

Tilera Launches 64-Core, Linux-Based Mesh Processor

Citrix Buys Virtualization Challenger XenSource for $500 Million

Court Says Novell Owns Unix, Not SCO

Four Hundred Stuff
Is PHP the Systems i's Next RPG?

Notes/Domino 8 Hits the Streets

450,000-Line RPG App Converted to .NET in Six Months

CA Extends Change Management to i5/OS

Big Iron
Solaris Unix Is Coming to IBM Mainframes

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Use WDSc to Develop XSL Transformations

Have Your Cake and Eat It, Too

Admin Alert: Getting Around System i Default Passwords, Part 2

System i PTF Guide
August 11, 2007: Volume 9, Number 32

August 4, 2007: Volume 9, Number 31

July 28, 2007: Volume 9, Number 30

July 21, 2007: Volume 9, Number 29

July 14, 2007: Volume 9, Number 28

July 7, 2007: Volume 9, Number 27

The Unix Guardian
Sun Polishes Up Sparc T2 Multithreaded Chips

AMD Gooses Dual-Core Opteron Speeds, Cuts Prices

Sun Creates Virtual Tape Library from Thumper Server

As I See It: Policeware

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Lakeview Technology
Storage Guardian
World Data Products
IT Security
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
Microsoft and Cisco Agree to Work Together, But Compete

VMware's IPO: Converting Virtual Machines into Real Money

Citrix Buys Virtualization Challenger XenSource for $500 Million

Intel Cranks Out Two More Quads, AMD Sets Barcelona Date

But Wait, There's More:
Patch Tuesday: Nine Security Tweaks for the Windows Stack . . . Exchange Server 2007 SP1 Beta 2 Gets Tech Preview . . . Key Pieces to Unified Communications Available in October . . . HP's Sales and Earnings Rocket Upward in Fiscal Q3 . . . Gartner Says Software as a Service to Break $11.5 Billion by 2011 . . . Study Counts the Cost of Data Breaches . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement