Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft patches include cumulative Internet Explorer fix

Microsoft today pushed out six security updates to address vulnerabilities, one less than the company promised last week.

The update delivered four bulletins to correct seven "critical" vulnerabilities in such client-side Windows components as Outlook Express, Internet Explorer (IE) and Microsoft Word.

"We're really trending toward client-base vulnerabilities," Eric Schultze, chief security architect at Shavlik Technologies, told today, "where if you visit an evil website, you get hacked."

Experts were divided over which critical flaw organizations are most pressed to fix.

Don Leatham, director of solutions and strategy at Lumension Security, told that MS07-057 – a cumulative patch for three privately reported flaws and one publicly reported flaw in IE – could do the most harm to company networks. The flaws could result in remote code execution should users view a malicious website.

"Given the pervasiveness of IE throughout most organizations, that definitely needs to be the priority," he said.

Andrew Storms, director of nCircle security operations, said the IE patch includes fixes for an address bar spoofing vulnerability and a memory handling corruption bug related to a malformed ActiveX control.

Meanwhile, Schultze said organizations should pay particular attention to MS07-060, which corrects a bug in Word. Microsoft said hackers actively are exploiting the vulnerability, which impacts Office 2000 and XP versions.

Ben Greenbaum, a senior security manager with Symantec Security Response, said the ubiquity of Outlook Express and Windows Mail makes MS07-056 the most pressing patch for organizations to extend to their end-users. The fix addresses a flaw caused by failure to handle malformed network news transfer protocol (NNTP) responses.

"The vulnerability…has the potential to be the worst of the batch because these applications [Outlook Express and Windows Mail] come packaged with nearly every release of the Windows operating system," Greenbaum said. "Consumers and enterprises can protect themselves from a potential exploit by not clicking on suspicious links leading to a malicious webpage, keeping computer systems updated, and implementing a full-featured internet security solution."

The other critical patch addresses a vulnerability in the Kodak Image Viewer.

Microsoft delivered two fixes labeled "important," the most notable of which addresses a denial-of-service bug in the remote procedure call (RPC). Attackers could exploit the vulnerability to send malicious packets that could take down an Exchange Server, Schultze said.

Microsoft had planned to release another "important" patch, but decided to scrap it, presumably due to problems that arose during testing, experts said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.