Microsoft Patches Four Security Flaws

Published: September 12, 2007

by Alex Woodie

Microsoft yesterday issued four patches fixing four security flaws affecting several of its products, including two flaws affecting recent versions of Windows, and three that have been publicly disclosed. There was only a single critical flaw issued yesterday--for a remote code execution vulnerability affecting Windows 2000 SP4--and three other patches the company deemed "important." A fifth patch was in the works as recently as Friday, but the software giant elected against releasing it for its September Patch Tuesday.

The critical patch, as delivered by Microsoft Security Bulletin MS07-051, fixes a serious problem in the Microsoft Agent software in Windows 2000 SP4 that could allow an attacker to take complete control of an affected system if the user visited a malformed Web site or opened a malicious e-mail.

The vulnerability is a variation on the Microsoft Agent URL Parsing Vulnerability that Microsoft fixed in July for all Windows operating systems. Apparently, that patch didn't entirely fix things for Windows 2000 SP4 users. But nobody has been hurt yet, as Microsoft says the vulnerability has not been publicly disclosed, nor used as the basis for an attack. Just the same, Windows 2000 SP4 users should apply the patch immediately, as hackers and script kiddies are bound to start using the flaw for attempted exploits in the days and weeks to come.

Windows developers who use the version of Visual Studio that contains an integrated version of Crystal Reports should apply Microsoft Security Bulletin MS07-052 immediately. This patch fixes a known remote code execution flaw in Visual Studio that can be exploited by opening malicious RPT files. This flaw, which is also known as the Crystal Reports Stack Overflow Vulnerability, has been publicly reported for some time. Nevertheless, Microsoft says it's not aware of any successful attacks utilizing this vulnerability.

Microsoft Security Bulletin MS07-053 fixes an important vulnerability in all modern versions of Windows, including Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The problem has to do with the Windows Services for Unix and the Subsystem for Unix-based Applications components in Windows—specifically the "setuid" routine, which is used to run programs under the program's owner's user profile instead of the user profile of the user making the request. Microsoft credits Brian Reiter of WolfeReiter with finding and reporting the flaw, which Microsoft says has been publicly disclosed, and is in limited distribution.

The final fix, Microsoft Security Bulletin MS07-054, may be the most important. MS07-54 addresses an "important" vulnerability in MSN Messenger versions 6.2, 7, 7.5, and 8.0 that could allow an attacker to take complete control of an affected system if the user accepted a malicious chat request.

While Microsoft has since shipped MSN 8.1, which is not susceptible to the problem--which is officially known as the MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability--the older versions of MSN Messenger were shipped on almost all versions of Windows, including Windows Server 2003 and Windows Vista. The fact that this vulnerability has been publicly reported--credit for finding it goes to Woo Shi of team 509--makes it even more dangerous.

Microsoft did not give this vulnerability a critical rating, despite the fact that it carries a remote code execution risk, because it requires some trickery on the part of the hacker to get the user to accept the malicious chat request. However, this is the same level of user stupidity required to make the Microsoft Agent URL Parsing Vulnerability work, and this vuln received the "critical" rating.

Also making MS07-54 stand out is the fact that it's the latest in a string of vulnerabilities to target social networking sites and their supporting technologies. According to security tool vendor Qualys, a range of other vendors have addressed problems in the technology supporting social networking sites, including Adobe, Real Networks, and Apple. Apparently, hackers are turning their attentions to social networking sites as they become more popular.

Microsoft also pulled a patch for its SharePoint software at the last second. When Microsoft sent out its usual e-mail last Thursday telling customers what patches to expect on Patch Tuesday, it had five patches, including one for an elevation of privilege risk for SharePoint. Microsoft did not disclose why it chose not to ship this patch, although it was almost certainly a quality issue.