“We’re really trending toward client-base vulnerabilities,” Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazineUS.com today, “where if you visit an evil website, you get hacked.”
Experts were divided over which critical flaw organizations are most pressed to fix.
Don Leatham, director of solutions and strategy at Lumension Security, told SCMagazineUS.com that MS07-057 – a cumulative patch for three privately reported flaws and one publicly reported flaw in IE – could do the most harm to company networks. The flaws could result in remote code execution should users view a malicious website.
“Given the pervasiveness of IE throughout most organizations, that definitely needs to be the priority,” he said.
Andrew Storms, director of nCircle security operations, said the IE patch includes fixes for an address bar spoofing vulnerability and a memory handling corruption bug related to a malformed ActiveX control.
Meanwhile, Schultze said organizations should pay particular attention to MS07-060, which corrects a bug in Word. Microsoft said hackers actively are exploiting the vulnerability, which impacts Office 2000 and XP versions.
Ben Greenbaum, a senior security manager with Symantec Security Response, said the ubiquity of Outlook Express and Windows Mail makes MS07-056 the most pressing patch for organizations to extend to their end-users. The fix addresses a flaw caused by failure to handle malformed network news transfer protocol (NNTP) responses.
“The vulnerability…has the potential to be the worst of the batch because these applications [Outlook Express and Windows Mail] come packaged with nearly every release of the Windows operating system,” Greenbaum said. “Consumers and enterprises can protect themselves from a potential exploit by not clicking on suspicious links leading to a malicious webpage, keeping computer systems updated, and implementing a full-featured internet security solution.”
The other critical patch addresses a vulnerability in the Kodak Image Viewer.
Microsoft delivered two fixes labeled “important,” the most notable of which addresses a denial-of-service bug in the remote procedure call (RPC). Attackers could exploit the vulnerability to send malicious packets that could take down an Exchange Server, Schultze said.
Microsoft had planned to release another “important” patch, but decided to scrap it, presumably due to problems that arose during testing, experts said.