After a light November round, December’s Patch Tuesday fixes from Microsoft are likely to have security administrators on their toes. The Redmond, Wash.-based company today released seven fixes for 11 vulnerabilities, labeling three of them “critical” because they could allow an attacker to remotely hijack a user’s computer.
The critical patches affect Microsoft DirectX, Windows Media File Format and Internet Explorer.
Additionally, five of the seven bulletins impact Microsoft’s new Vista operating system, and of those, two impact Vista only, Eric Schultze, chief technology officer at security vendor Shavlik Technologies, told SCMagazineUS.com.
“The more alarming vulnerabilities are those in Windows Media Format Runtime and Internet Explorer (MS70-068 and MS70-069, respectively),” said Ben Greenbaum, senior research manager at Symantec Security Response. “A successful exploit could occur when a user visits a malicious webpage or when viewing a malicious email. Neither issue requires any further interaction by the victim to exploit, compounding the problem.”
Schultze agreed with Greenbaum.
The Internet Explorer vulnerability (MS70-069) “is actively being exploited on the internet and is the first one that needs to be fixed,” he said. “But [the Windows Media File Format flaw] is also critical because it impacts all of Microsoft’s operating systems.”
Meanwhile, this month’s cycle saw a number of patches addressing bugs in Vista, billed as Microsoft’s most secure operating system to date.
“This underscores the fact that security is a process and never really a completed task,” Greenbaum said.
Two of the bulletins, MS07-063 and MS07-067, addressed zero-day vulnerabilities, Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazineUS.com. He said the types of vulnerabilities Microsoft must address have changed over the past year.
“We’ve seen a trend in the past year of client-side vulnerabilities that make use of social engineering attacks to target end-users rather than servers,” Sarwate said. “These are targeted to desktop users who are not too security savvy.”
One of the “important” patches, MS07-063, fixes an issue in Server Message Block Version 2 (SMBv2). This digital-signing technology, which allows Vista PCs to authenticate their identities with other Vista PCs, was created as a security feature in Vista to prevent one PC from impersonating another, Schultze said.
The vulnerability, however, allows a malicious third party to impersonate another Vista PC, he said.
“This is new code specifically developed for Vista,” Schultze said. “So that means it would have gone through Microsoft’s security review cycle, but this vulnerability slipped through and no one caught it. This shows that the security vetting process is not perfect, and even with the best effort to catch these issues, things still slip through.”
Another of the “important” fixes, MS07-067, corrects a problem in the Macrovision secdrv.sys driver in Windows Server 2003 and Windows XP. Macrovision delivered an update for this problem a month ago.
In a separate announcement, Microsoft released Office 2007 Service Pack 1 (SP1) on Tuesday. The company said this service pack improves the performance, security and stability of its suite of productivity applications.