two
Volume 4, Number 38 -- October 10, 2007

Six Patches Issued by Microsoft, One Held Back Again

Published: October 10, 2007

by Alex Woodie

For the second consecutive month, Microsoft changed its mind over the weekend and elected not to release a security patch it was working on the week prior. Instead of seven patches, as the software giant last Friday alerted the world to expect, Microsoft released six patches for nine security flaws, including four critical flaws affecting various versions of Windows, Word, Internet Explorer, Outlook Express, and SharePoint Server.

The fun starts with Microsoft Security Bulletin MS07-055, which fixes a critical error in Windows 2000's Kodak Image Viewer that could give hackers complete control of a computer if they tricked a victim into opening a malformed image. Microsoft says this vulnerability, which was privately reported by an individual named Cu Fang and Global 360's Rita Schapper, is not being actively exploited.

However, others report that this patch is being actively exploited, and therefore should be applied as soon as possible. "MS07-057 . . . should be given top priority, as it addresses two zero-day issues," says Amol Sarwate, research manager of the vulnerability research lab at Qualys.

The fun continues with Microsoft Security Bulletin MS07-056, which fixes a memory corruption vulnerability in Microsoft's implementation of the Network News Transfer Protocol (NNTP), which is used in Microsoft Mail and Outlook Express across every version of Windows since Windows 2000. Microsoft says this vulnerability, which it credits Greg MacManus of VeriSign's iDefense Labs with helping to find, is not being actively exploited.

An eight-month-old vulnerability was patched with Microsoft Security Bulletin MS07-057, a cumulative update for Internet Explorer versions 6 and 7 that patches a total of three vulnerabilities. Information about the Address Bar Spoofing vulnerability in IE7 has been in the public domain since February, although there haven't been any known exploits using it, according to Microsoft and the SANS Internet Storm Center. Microsoft credits Pierre Geyer of next.motion OHG and Jakob Balle of Secunia with finding this exploit. MS070-57 also provides fixes for the Error Handling Memory Corruption flaw, which Microsoft says Carsten Eiram of Secunia helped find, and another Address Bar Spoofing problem.

The final critical patch, Microsoft Security Bulletin MS07-060, fixes remote code execution problems in Word 2000 and Word XP. Microsoft says these bugs were privately reported by Liu Kun-Hao of Information and Communication Security Technology Center, and haven't been used to infect computers in the wild.

Microsoft also issued two "important" patches, including Microsoft Security Bulletin MS07-058, which addresses a denial of service vulnerability in the remote procedure call (RPC) in all client and server variants of the Microsoft operating system since Windows 2000. Microsoft credits the Zero Day Initiative for reporting this flaw, and says it hasn't spotted any use of the vulnerability in the wild.

MS07-058 is unique in how it infects, according to Sarwate. "This is unique from the other vulnerabilities the release addresses today, as the victim does not have to do anything other than turn on their machine and connect to the Internet in order for this to be exploited," he says.

The final patch, Microsoft Security Bulletin MS07-059, fixes a publicly reported vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 running on various versions of Windows Server 2003. This vulnerability could allow an attacker to run a malformed script that gives him an elevation of privilege within the SharePoint site, and possibly even access to user information. Microsoft gave the flaw an "important" rating.

According to Microsoft's early patch disclosure last Friday, the patch that didn't make it through would have fixed an important flaw affecting Windows 2000, XP, Vista, and Windows Server 2003. The company did not disclose why it chose not to release the patch at this time.

Microsoft did a similar thing last month, when the company alerted the world to five patches, but then only delivered four when September Patch Tuesday rolled around. That patch addressed SharePoint security, and became this month's Security Bulletin MS07-059.


RELATED STORIES

In Search Of a More Secure Internet

Microsoft Patches Four Security Flaws


Back to the Web Version

TABLE OF CONTENTS
Six Patches Issued by Microsoft, One Held Back Again

VMware Previews Future Hypervisor, Creates SMB Bundles

Akamai Debuts Service to Speed Any IP-Based Application

Microsoft Wants To Manage Your Health Records

But Wait, There's More:
RingCentral Gives Small Businesses a Taste of VoIP . . . Rumor: Windows XP SP3 Will Get More Vista Features . . . Gates, Raikes to Keynote OCS 2007 Launch Next Week . . . Google, IBM Partner on Utility Computing Cloud . . . Gartner Warns IT Is Running Out of Space and Juice--Again . . . The Never-Ending Story: Enterprise Software Integration . . .


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement