[ISN] Patch Tuesday: Microsoft Fixes 11 Bugs, 8 Critical

From: InfoSec News (alerts@private)
Date: Tue Jul 10 2007 - 22:17:42 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=201000567

By Sharon Gaudin
InformationWeek
July 10, 2007 

In its monthly Patch Tuesday release, Microsoft issued six security 
bulletins, patching 11 vulnerabilities -- eight of them critical.

Security researchers are warning IT managers to obviously patch all of 
the bugs being fixed today, but to quickly turn their attention to two 
vulnerabilities in Active Directory implementations in Windows 2000 
Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability 
research lab at Qualys Inc., called this the most important of the 11 
bugs that Microsoft is patching this month.

"If you are managing servers, this is the most critical because a hacker 
can crash your machine or anonymously run programs or steal information 
from your Active Directory," said Sarwate.

The Active Directory issue was discovered by IBM X-Force Researcher Neel 
Mehta, who also created proof-of-concept exploit code for it. The flaw 
was reported to Microsoft a year ago this month.

"Active Directory is the corner stone of the Windows network. The Active 
Directory server is used to manage things like user accounts on your 
domain. If a bad guy had that, he could add or delete accounts," said 
Tom Cross, an IBM Internet Security Systems X-Force researcher, in an 
interview. Another IBM researcher, David Dewey noted that if a hacker 
adds himself to the directory as an administrator, he could do anything 
he wants to the network.

Because the two vulnerabilities are in such a key part of Microsoft's 
software, both Cross and Dewey said they're glad Microsoft took so much 
time to work on the patch.

"This one carries quite a few complexities that led it down quite the 
development path," said Dewey in an interview. "We were in lock step 
with them during the entire path. As it turns out, it brought to light 
other coding issues that needed to be corrected. Active Directory is the 
corner stone of the Microsoft enterprise network. Anytime someone pokes 
a hole in that, they need to make sure the fix they put in place is 
thorough and correct. This is extraordinarily critical and they handled 
it appropriately, in my opinion."

Sarwate also noted that a critical bug in Microsoft Excel, as well as 
critical bug in the .Net framework also are worthy of immediate 
attention.

With the Excel flaw, if a user opens a malicious Excel attachment, code 
can be executed on her computer. It's a buffer overflow vulnerability 
that causes remote code execution.

The .Net framework is an environment for building and running 
applications, including Web services. The bug that Microsoft patched in 
the .Net framework also can be used to execute code remotely and 
anonymously.

Three of the vulnerabilities being fixed this month don't rate 
Microsoft's highest risk rating of critical. But Symantec's researchers 
noted that one "moderate" vulnerability that's being patched lies in the 
Windows Vista firewall. Symantec discovered the bug this past February.

This vulnerability exposes network services which should only be 
accessible from the local area network to the Internet, reported 
Symantec in an e-mail to InformationWeek. By tunneling traffic over the 
Teredo protocol, an attacker can access network services, which would 
otherwise have been blocked from the Internet. Even though it's 
classified as an "information disclosure vulnerability," if the flaw was 
combined with a vulnerability in one of the exposed services, this 
vulnerability could have widespread implications.

"As this month's patch release demonstrates, Microsoft's decision to 
rewrite the Windows network stack and its accompanying firewall 
continues to have long-term security implications," said Oliver 
Friedrichs, director of emerging technologies at Symantec Security 
Response. "A network stack can take decades of heavy scrutiny in order 
to become battle hardened. As an operating system's first line of 
defense, its quality is directly related to its ability to withstand 
attack."

Last month, Microsoft issued six security bulletins that patched 15 
vulnerabilities. The June batch of vulnerability fixes affected 12 
critical bugs. In May, Microsoft released seven security bulletins, 
patching 19 bugs. All seven of those advisories were rated critical.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 10 2007 - 22:29:30 PDT