[ISN] Microsoft Patches 20 Security Vulnerabilities

From: InfoSec News (alerts@private)
Date: Tue Feb 13 2007 - 22:28:51 PST


By Matt Hines
February 13, 2007

Updated: The software giant matches its all-time high for monthly 
security fixes, issuing a dozen bulletins that aim to patch 20 holes in 
its products, including 14 critical issues in Windows, Office, IE and 
even its own anti-virus tools.

Microsoft delivered its monthly batch of security updates on Feb. 13, 
delivering fixes for 20 individual problems in its products included in 
a dozen bulletins, six of which were dubbed as critical, the firm's most 
severe vulnerability rating.

Among the security updates issued by Redmond, Wash.-based Microsoft was 
a cumulative bulletin for the company's Internet Explorer browser which 
seeks to address three issues all ranked as critical by the software 

Included in the IE bulletin were fixes for a pair of COM (component 
object model) instantiation memory corruption vulnerabilities, and a fix 
for an FTP server response parsing memory corruption issue. The issues 
are rated as critical in versions of the browser previous to its current 
IE 7 iteration in which they rank as only "important" or "low."

In another cumulative bulletin, Microsoft issued patches for six 
individual problems in its Word products, five of which were rated as 
critical in the Office 2000 iteration of the product. Included in the 
update were fixes for a malformed strong vulnerability, malformed data 
structure flaw, malformed object drawing glitch, malformed function 
problem and a Word count issue, all of which received the critical 
designation in the Word 2000 version of the program.

An additional macro vulnerability and examples of the other five 
security problems present in later versions of Word were given the less 
severe ranking of important. However, all six of the Word 
vulnerabilities could lead to remote code execution by attackers if 
properly exploited, Microsoft stated.

In another Office-related bulletin, Microsoft distributed patches for 
two individual problems in the package, specifically detailing a 
malformed record memory corruption vulnerability in the product's 
PowerPoint presentation application, along with a malformed record issue 
discovered in the Excel spread sheet program. Both issues were ranked as 
critical in the Microsoft Office 2000 version of the productivity suite, 
and only as important in later iterations of the platform.

Among the other critical security bulletins issues by Microsoft was a 
fix for a problem in its HTML Help ActiveX Control software which ranked 
as critical in its Windows 2000 SP4 and Windows XP SP2 programs, and 
charted as only "moderate" in its Windows Server 2003 and Windows Server 
2003 SP1 products. If exploited, the problem could allow affected 
computers to be taken over remotely by hackers, the company said.

Microsoft also moved to fix a well-publicized vulnerability in the Data 
Access Components element of its ActiveX software rated as critical that 
exists in its Windows 2000 SP4 and Windows XP SP2 products. The problem 
is also present in the firm's Windows Server 2003 package, but rated as 
only a moderate risk in that product.

Attempting to patch an embarrassing flaw in its own anti-virus software, 
Microsoft issued a patch for a critical problem in its Malware 
Protection Enginewhich is an element of nearly all the company's 
security products, including its Windows Live OneCare, Antigen for 
Exchange 9.x, Antigen for SMTP Gateway 9x, Windows Defender, and 
Forefront Security packages.

Like the other flaws addressed by Microsoft, the security product issues 
could also allow for remote code execution of affected computers, the 
company said.

Included in the six bulletins ranked by Microsoft as only important were 
fixes for problems in the company's step-by-step interactive training 
program, with related vulnerabilities cited in the firm's Windows 2000 
SP2, Windows XP SP2 and Windows Server 2003 products.

Other important bulletins were shipped to address issues in the Windows 
shell technology, Windows image acquisition service and Windows OLE 
(object linking and embedding) dialog system. The company issued 
important patches for issues in its MFC (Microsoft Foundation Class) 
library technology in Windows, and its Visual Studio products, as well 
as to fix a problem in the RichEdit function of its Windows and Office 

Security researchers highlighted Microsoft's move to shut down at least 
six product vulnerabilities that have been used in so-called zero-day 
attacks, or malware threats aimed at flaws previously unrecognized by 
the software maker.

"Today Microsoft patched six vulnerabilities that were previously used 
in recent targeted zero-day attacks," Dave Marcus, security research and 
communications manager with McAfee's Avert Labs, said in a report.

"This continues the trend of malware authors targeting widely deployed 
Microsoft business applications and services. Malware authors continue 
to find unknown or unpatched vulnerabilities in popular applications and 
services which are then used in zero-day attacks, putting both business 
and consumer data at risk."

While Microsoft tied its record for its greatest number of security 
bulletins, having shipped another dozen of the updates in August 2006, 
the February 2007 release fell short of the company's record for the 
most individual patches, as some 23 individual issues were addressed in 
the August '06 shipment.

However, the February 2007 shipment does establish a high-water mark for 
critical patches released by the software vendor in one month as 
Microsoft addressed only 10 issues earmarked as critical in the August 
'06 batch of patches, while the February '07 release seeks to fix a 
total of 11 critical security problems.

Editor's Note: This story was updated to include additional information 
from McAfee.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 13 2007 - 22:37:49 PST