two
Volume 4, Number 42 -- November 14, 2007

Patch Tuesday Light, Or the Lazy Days of November

Published: November 14, 2007

by Alex Woodie

It was a light Patch Tuesday for Microsoft yesterday, as the software giant posted just two fixes for two vulnerabilities--only one which was critical--in sharp contrast to recent months that saw as many as 17 vulnerabilities being fixed. At least one vulnerability that was expected to be patched yesterday was left alone, raising concern in the security community.

Security Bulletin MS07-061 fixed the lone critical vulnerability patched this month, a remote code execution in Windows XP and Windows Server 2003 that had been known about since midsummer, and which was being used to exploit users via "drive by" attacks on the Web. "This exploit was made public last month and has already been widely exploited, most notably on a collection of Websites registered in Russia," said Amol Sarwate, manager of the vulnerability research lab at Qualys.

The problem, called the URI Handling Vulnerability, allows an attacker to take total control over an affected computer when a victim visits an infected Web site. While the patch was made for Windows, only Internet Explorer 7 had been infected thus far, says Andrew Storms, director of security operations for the security software company nCircle.

The second patch, Security Bulletin MS07-062, fixes a DNS spoofing problem in Windows 2000 Server and Windows Server 2003 that Microsoft deemed "important." Microsoft says this problem had not been publicly disclosed, and is not being actively exploited. MS07-062 is the patch that Microsoft last month elected not to release at the last minute, the second month in a row that had happened.

The small number of patches issued yesterday left some security researchers scratching their heads. "Noticeably absent from this month's release is the much anticipated patch for the Macrovision driver," Sarwate says. "Given that Microsoft released an out-of-band advisory stating that a patch would be available shortly for this vulnerability, it was very surprising that it was omitted."

Storms gave this analysis to the situation: "The difference in responsiveness on these two issues typifies Microsoft’s track record on security. They have moments of stellar service combined with moments of inattention," he says.

There are currently only two vulnerabilities in Windows and other Microsoft products being actively exploited, according to eEye Digital Security, which lists past and current security problems on its Zero-Day Tracker. While both of the problems have been disclosed for well over a year, neither of them are critical in nature, according to eEye.


RELATED STORIES

Six Patches Issued by Microsoft, One Held Back Again

Microsoft Patches Four Security Flaws


Back to the Web Version

TABLE OF CONTENTS
Windows Server 2008 Pricing and Packaging Set by Microsoft

'Viridian' Hypervisor Gains Formal Name: Hyper-V

Intel Announces First "Penryn" Xeon Processors

Microsoft Makes Gains in HPC Market

But Wait, There's More:
Patch Tuesday Light, Or the Lazy Days of November . . . Linux, OS X Desktops to Get NAP Support from Microsoft . . . Oracle Dives into the Server Virtualization Fray . . . Radmin Gets 64-bit Windows Support . . . ArcSight Expands Log Management Offerings . . . Fujifilm Adds GPS Tracker to Tape Cartridges . . .


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement