The critical patch (MS07-061) resolves a recently discovered – and publicly exploited – vulnerability in Windows operating systems that can allow an attacker to remotely execute code on a victimized PC. This zero-day vulnerability was exploited a month ago by several attacks from Russian websites.
The vulnerability can be exploited by a malformed URI (uniform resource indicator) that can crash a user's system or lead to remote code execution. On an impacted system, a hacker can insert code that runs an unknown executable when the user clicks on a link to open an email message or move to another website, for example.
"While you think [clicking] is doing one thing, it's actually doing something else entirely," Eric Schultze, chief technology officer at Shavlik Technologies, told SCMagazineUS.com today. "For this issue, at first Microsoft said that it's not its problem, but it took a few weeks to discover that indeed it is its problem, and that this was a complicated fix.
"Because this vulnerability was actually exploited on the internet, it's very critical to deploy this patch to all your machines as soon as possible,” Schultze said.
Mozilla had previously released a fix for this vulnerability with an update of its Firefox browser. By correcting the issue in Windows, Microsoft eliminated the problem for all applications running on Windows, not just Firefox, Amol Sarwate, manager of the vulnerabilities research lab at Qualys, told SCMagazineUS.com today.
The second patch (MS07-062) impacts only Windows-based servers running Domain Name Services (DNS). It allows hackers to redirect traffic to malicious websites and can be used in phishing attacks.
"DNS 'cache poisoning' allows attack requests for internet systems and websites to their computers," said IBM Internet Security Systems X-Force Researcher Chris Valasek. "For example, a victim might attempt to reach a legitimate website but get redirected to an attacker's computer instead. The attacker could then fool the victim into disclosing personal information, or launch other exploits against them. This sort of vulnerability has impacted other DNS servers in the past and has been well understood by attackers for a long time. Now that Microsoft DNS Server's susceptibility has been disclosed, we may see renewed attacks of this sort."
“This is not an easy vulnerability exploit, and everyday hacker can't exploit this issue,” said Schultze. “If you're a DNS administrator for your company, this is a critical patch to install."
Experts had speculated that Microsoft would release a patch for a flaw in Macrovision's secdrv.sys driver. Macrovision released a patch for the flaw, and Microsoft researchers had said they were aware of the flaw and working on a fix.
“The bulletin on this one is out and Macrovision has released their code,” Andrew Storms, director of security operations at nCircle, said. “The patch must be [bogged down] in Microsoft's QA [quality assurance] and software-release process. We'll likely see it next month.”