Eleven Security Flaws Patched by Microsoft

Published: December 12, 2007

by Alex Woodie

Microsoft patched 11 flaws with seven patches yesterday, the final Patch Tuesday event of the year for the software giant. The haul included three fixes for critical flaws in Windows, Internet Explorer, and the Windows Media Player--including two zero-day threats that are already being exploited, and two flaws affecting only Windows Vista.

The fun starts with Security Bulletin MS07-064, which addresses two related flaws in the Windows DirectX software that could allow an attacker to take control of an affected computer if they somehow got a victim to open a malicious media file. One or both of the flaws are present in every client and server version of Windows going back to Windows 2000 SP4, so the upgrade to Windows Vista won't help you.

Microsoft says it's not currently aware of any attacks using the flaws in DirectX versions 7, 8, and 9. It credits Jun Mao of VeriSign iDefense Labs, Peter Winter-Smith of New Generation Security Software, and Jung-hyung Lee and Minseong Kim of antivirus software maker AhnLab with reporting the flaws.

The fun continues with Security Bulletin MS07-068, which fixes a critical remote code execution problem affecting Windows Media File version 7, 9, and 11 in every recent client and server version of Windows except for the Itanium versions of Windows Server 2003. Microsoft, which credits Ryan Smith of IBM's Internet Security Systems division for finding the flaw, says its not aware of any attacks using the flaw.

Microsoft warns users that applying Security Bulletin MS07-068 could cause some other things to stop working, so read the two KnowledgeBase articles referenced in the security bulletin before applying these patches if you're concerned about it.

A zero-day flaw in Internet Explorer has been snuffed with Security Bulletin MS07-069, which fixed the DHTML object memory corruption flaw that attackers have been exploiting, and four related "unititialized memory corruption" flaws that they haven't got to yet.

This patch, like the other critical patches mentioned above, should be applied to every currently supported version of Windows in the world. Microsoft credits a bevy of researchers with TippingPoint Technologies and the Zero Day Initiative (which is a project of TippingPoint, which itself is a subsidiary of a target="new" href="http://www.3com.com">3com), with spotting this flaw.

Vista is the only release of Windows that should be getting Security Bulletin MS07-063, which fixes an "important" remote code execution vulnerability affecting the new operating system. The problem has to do with a flaw in Vista's implementation of the Server Message Block Version 2 (SMBv2) apparatus. The fact that SMBv2 is turned off by default kept this flaw from receiving "critical" status. The public was not aware of this flaw before yesterday, and nobody had been exploiting it, Microsoft says.

Security Bulletin MS07-065 fixes a flaw in the Microsoft Message Queue (MSMQ) technology, as found in Windows XP SP2 and Windows 2000 SP4. This flaw, which could give an attacker control of an affected computer if the user accepted a maliciously crafted MSMQ message, was given an important rating because MSMQ is not enabled by default on the affected operating systems. Again, Microsoft says it's not aware of anybody exploiting this flaw, much less even knowing it exists. Microsoft credits the Zero-Day Initiative and ADLABS with bringing this flaw to its attention.

Microsoft fixed a potentially serious flaw affecting the kernel of the Windows Vista operating system with Security Bulletin MS07-066. This flaw, which is caused by a problem with the Windows Advanced Local Procedure Call (ALPC) mechanism, could be used to launch an elevation of privilege attack or take complete control of a victim's computer, according to Microsoft. However, the successful attacker must have valid log-on credentials, which means it can't be remotely exploited. In any event, this flaw is not currently being exploited, according to Microsoft, which credits Thomas Garnier of SkyRecon with spotting the problem.

The final fix, Security Bulletin MS07-067, addresses the other zero-day threat, an elevation of privilege problem in Windows XP and Windows Server 2003. This flaw is the result of a problem in the Macrovision driver in these operating systems.

Amol Sarwate, manager of the vulnerability research lab at Qualys, says the current batch of mostly client-side vulnerabilities continues an ongoing trend. "The main target continues to be the every-day desktop user who may not be as aware of the IT security threats as the typical IT administrator," Sarwate says. "Organizations need to increase awareness of these vulnerabilities to all users across the enterprise or else they could be vulnerable to malware and other Web-based attacks."

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot