two
Volume 4, Number 38 -- October 10, 2007

Six Patches Issued by Microsoft, One Held Back Again

Published: October 10, 2007

by Alex Woodie

For the second consecutive month, Microsoft changed its mind over the weekend and elected not to release a security patch it was working on the week prior. Instead of seven patches, as the software giant last Friday alerted the world to expect, Microsoft released six patches for nine security flaws, including four critical flaws affecting various versions of Windows, Word, Internet Explorer, Outlook Express, and SharePoint Server.

The fun starts with Microsoft Security Bulletin MS07-055, which fixes a critical error in Windows 2000's Kodak Image Viewer that could give hackers complete control of a computer if they tricked a victim into opening a malformed image. Microsoft says this vulnerability, which was privately reported by an individual named Cu Fang and Global 360's Rita Schapper, is not being actively exploited.

However, others report that this patch is being actively exploited, and therefore should be applied as soon as possible. "MS07-057 . . . should be given top priority, as it addresses two zero-day issues," says Amol Sarwate, research manager of the vulnerability research lab at Qualys.

The fun continues with Microsoft Security Bulletin MS07-056, which fixes a memory corruption vulnerability in Microsoft's implementation of the Network News Transfer Protocol (NNTP), which is used in Microsoft Mail and Outlook Express across every version of Windows since Windows 2000. Microsoft says this vulnerability, which it credits Greg MacManus of VeriSign's iDefense Labs with helping to find, is not being actively exploited.

An eight-month-old vulnerability was patched with Microsoft Security Bulletin MS07-057, a cumulative update for Internet Explorer versions 6 and 7 that patches a total of three vulnerabilities. Information about the Address Bar Spoofing vulnerability in IE7 has been in the public domain since February, although there haven't been any known exploits using it, according to Microsoft and the SANS Internet Storm Center. Microsoft credits Pierre Geyer of next.motion OHG and Jakob Balle of Secunia with finding this exploit. MS070-57 also provides fixes for the Error Handling Memory Corruption flaw, which Microsoft says Carsten Eiram of Secunia helped find, and another Address Bar Spoofing problem.

The final critical patch, Microsoft Security Bulletin MS07-060, fixes remote code execution problems in Word 2000 and Word XP. Microsoft says these bugs were privately reported by Liu Kun-Hao of Information and Communication Security Technology Center, and haven't been used to infect computers in the wild.

Microsoft also issued two "important" patches, including Microsoft Security Bulletin MS07-058, which addresses a denial of service vulnerability in the remote procedure call (RPC) in all client and server variants of the Microsoft operating system since Windows 2000. Microsoft credits the Zero Day Initiative for reporting this flaw, and says it hasn't spotted any use of the vulnerability in the wild.

MS07-058 is unique in how it infects, according to Sarwate. "This is unique from the other vulnerabilities the release addresses today, as the victim does not have to do anything other than turn on their machine and connect to the Internet in order for this to be exploited," he says.

The final patch, Microsoft Security Bulletin MS07-059, fixes a publicly reported vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 running on various versions of Windows Server 2003. This vulnerability could allow an attacker to run a malformed script that gives him an elevation of privilege within the SharePoint site, and possibly even access to user information. Microsoft gave the flaw an "important" rating.

According to Microsoft's early patch disclosure last Friday, the patch that didn't make it through would have fixed an important flaw affecting Windows 2000, XP, Vista, and Windows Server 2003. The company did not disclose why it chose not to release the patch at this time.

Microsoft did a similar thing last month, when the company alerted the world to five patches, but then only delivered four when September Patch Tuesday rolled around. That patch addressed SharePoint security, and became this month's Security Bulletin MS07-059.


RELATED STORIES

In Search Of a More Secure Internet

Microsoft Patches Four Security Flaws


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
VISION SOLUTIONS

There Must Be An Easier Way

There is!
MIMIX takes the work and worry out of Windows data protection.

Stop wasting time and resources on backup operations and difficult recovery procedures.

MIMIX ha1 for Windows protects data easily and automatically,
recovers your critical data in a snap.

Try MIMIX for free with your Windows applications today.

www.MIMIX.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
World Data Products:  Free Server Spec Book for the design, installation and maintenance of servers
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
IBM Offers System i Blade Deal, Nixes i5 550 in Upgrade Deal

IBM Tweaks BladeCenter S for the Office, Preps Power6 Blades

Growing Businesses, Upgrades Drive IT Hiring in Q4

As I See It: Great Looking Genes

The Linux Beacon
Novell Delivers openSUSE 10.3 Linux Development Release

IBM Tweaks BladeCenter S for the Office, Preps Power6 Blades

Novell Actually Ships Open Enterprise Server 2

Growing Businesses, Upgrades Drive IT Hiring in Q4

Four Hundred Stuff
looksoftware's Modernization Suite Resembling a Full IDE

Pat Townsend Normalizes i5/OS Log Data for Security Analyses

Linoma Boosts Surveyor/400's SQL Functionality

PowerTech Updates Compliance Manager

Big Iron
Leasing and Financing Are Important IT Tools, Says IDC

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
IFS Commands Give You Generic Access

APIs Sometimes Fail (But Programmers Don't Have To)

Admin Alert: Remotely Accessing an HMC System Console, Part 1

System i PTF Guide
October 6, 2007: Volume 10, Number 40

September 29, 2007: Volume 9, Number 39

September 22, 2007: Volume 9, Number 38

September 15, 2007: Volume 9, Number 37

September 8, 2007: Volume 9, Number 36

September 1, 2007: Volume 9, Number 35

The Unix Guardian
HP Updates HP-UX 11i v3, No Plans for X64 Port

Sun Merges Storage Back into Systems Group

BrandZ Containers, xVM Partitions to Host Legacy Solaris Applications

An Update from the X64 Server Battlefields

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Vision Solutions
Computer Measurement Group
Storage Guardian
IT Security
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
Six Patches Issued by Microsoft, One Held Back Again

VMware Previews Future Hypervisor, Creates SMB Bundles

Akamai Debuts Service to Speed Any IP-Based Application

Microsoft Wants To Manage Your Health Records

But Wait, There's More:
RingCentral Gives Small Businesses a Taste of VoIP . . . Rumor: Windows XP SP3 Will Get More Vista Features . . . Gates, Raikes to Keynote OCS 2007 Launch Next Week . . . Google, IBM Partner on Utility Computing Cloud . . . Gartner Warns IT Is Running Out of Space and Juice--Again . . . The Never-Ending Story: Enterprise Software Integration . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement