Patch/Configuration Management, Vulnerability Management

Vista, Internet Explorer flaws highlight Patch Tuesday

Microsoft unveiled its first Windows Vista-only patch along with five other security bulletins in its latest monthly "Patch Tuesday" release today.

The Vista-only bulletin, MS07-034, reveals four critical vulnerabilities in Outlook Express and Vista’s email client, said Amol Sarwate, manager of the vulnerabilities lab at Qualys. These could allow the execution of malicious code downloaded in an email message, he said.

"We've got more of the same" from Microsoft, said Eric Schultze, the chief security architect at Shavlik Technologies. "I believe three of the six [bulletins] impact Vista, so it's not immune [from flaws] -- there will always will be patches for Vista."

Microsoft's latest round of security bulletins revealed that Internet Explorer suffers from six vulnerabilities. According to Microsoft officials, all but one of IE's flaws covered in security bulletin MS07-033 could allow malicious code to take over a user's PC when they visit a malicious website. Another of the vulnerabilities, which also requires user to visit a malicious website, allows spoofing.

Another of the critical security advisories, MS07-031, impacts the Schannel Security Package, which provides secure socket layer (SSL) capabilities in Windows. With this vulnerability, a user accessing a malicious website from a browser or other application while relying on SSL for a secure connection could permit the site to execute code remotely on that user’s PC.

This flaw allows the security certificate on a secure website to execute malicious code on an end-user's PC. This could be deceptive to users who "think they're at a secure website but could be at a hacker site," said Sarwate.

Microsoft, though labeling the flaw as critical, said that attempts to exploit the SSL vulnerability would most likely crash the browser or application.

"The system would not be able to connect to websites or resources using SSL until a restart of the system," noted Microsoft's security bulletin.

Schultze also said that that security bulletin MS07-032, labeled moderate by Microsoft, "should be critical. Microsoft is trying to hide something here."

"This allows a user to obtain the username and password of the ‘admin’ account on a Vista system," he said. "So if I'm a company employee and I have a Vista computer, I can easily figure out the ‘admin’ username and password because of the vulnerability, then use it to log onto probably any computer in the company, so I consider it critical."

Both Schultze and Sarwate recommended that users patch their systems "as soon as possible."

Microsoft also released an "important" update (security bulletin MS07-030) for Visio. It covers two privately reported vulnerabilities, plus flaws Microsoft uncovered while investigating the reported flaws. The reported vulnerabilities allow remote execution of code on the user's PC when they open a "specially crafted Visio file."

According to Microsoft, users whose accounts have fewer access rights are less vulnerable to the flaws than those with administrative rights.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.