http://www.informationweek.com/news/showArticle.jhtml?articleID=201000567 By Sharon Gaudin InformationWeek July 10, 2007 In its monthly Patch Tuesday release, Microsoft issued six security bulletins, patching 11 vulnerabilities -- eight of them critical. Security researchers are warning IT managers to obviously patch all of the bugs being fixed today, but to quickly turn their attention to two vulnerabilities in Active Directory implementations in Windows 2000 Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability research lab at Qualys Inc., called this the most important of the 11 bugs that Microsoft is patching this month. "If you are managing servers, this is the most critical because a hacker can crash your machine or anonymously run programs or steal information from your Active Directory," said Sarwate. The Active Directory issue was discovered by IBM X-Force Researcher Neel Mehta, who also created proof-of-concept exploit code for it. The flaw was reported to Microsoft a year ago this month. "Active Directory is the corner stone of the Windows network. The Active Directory server is used to manage things like user accounts on your domain. If a bad guy had that, he could add or delete accounts," said Tom Cross, an IBM Internet Security Systems X-Force researcher, in an interview. Another IBM researcher, David Dewey noted that if a hacker adds himself to the directory as an administrator, he could do anything he wants to the network. Because the two vulnerabilities are in such a key part of Microsoft's software, both Cross and Dewey said they're glad Microsoft took so much time to work on the patch. "This one carries quite a few complexities that led it down quite the development path," said Dewey in an interview. "We were in lock step with them during the entire path. As it turns out, it brought to light other coding issues that needed to be corrected. Active Directory is the corner stone of the Microsoft enterprise network. Anytime someone pokes a hole in that, they need to make sure the fix they put in place is thorough and correct. This is extraordinarily critical and they handled it appropriately, in my opinion." Sarwate also noted that a critical bug in Microsoft Excel, as well as critical bug in the .Net framework also are worthy of immediate attention. With the Excel flaw, if a user opens a malicious Excel attachment, code can be executed on her computer. It's a buffer overflow vulnerability that causes remote code execution. The .Net framework is an environment for building and running applications, including Web services. The bug that Microsoft patched in the .Net framework also can be used to execute code remotely and anonymously. Three of the vulnerabilities being fixed this month don't rate Microsoft's highest risk rating of critical. But Symantec's researchers noted that one "moderate" vulnerability that's being patched lies in the Windows Vista firewall. Symantec discovered the bug this past February. This vulnerability exposes network services which should only be accessible from the local area network to the Internet, reported Symantec in an e-mail to InformationWeek. By tunneling traffic over the Teredo protocol, an attacker can access network services, which would otherwise have been blocked from the Internet. Even though it's classified as an "information disclosure vulnerability," if the flaw was combined with a vulnerability in one of the exposed services, this vulnerability could have widespread implications. "As this month's patch release demonstrates, Microsoft's decision to rewrite the Windows network stack and its accompanying firewall continues to have long-term security implications," said Oliver Friedrichs, director of emerging technologies at Symantec Security Response. "A network stack can take decades of heavy scrutiny in order to become battle hardened. As an operating system's first line of defense, its quality is directly related to its ability to withstand attack." Last month, Microsoft issued six security bulletins that patched 15 vulnerabilities. The June batch of vulnerability fixes affected 12 critical bugs. In May, Microsoft released seven security bulletins, patching 19 bugs. All seven of those advisories were rated critical. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 10 2007 - 22:29:30 PDT