[ISN] Microsoft fixes 14 flaws in biggest patch day since February

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 23:10:17 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9030696

By Gregg Keizer
August 14, 2007 
Computerworld

In its biggest one-day security update since February, Microsoft Corp. 
today issued nine bulletins that patched 14 vulnerabilities in Office, 
Internet Explorer and every edition of Windows. Eight of the fixes were 
pegged as critical, the company's highest risk rating.

Faced with an overload of vulnerabilities -- including some in 
components that Microsoft has patched in the past -- researchers 
squabbled over which should get priority.

"I think six of these are equally important," said Andrew Storms, 
director of security operations at nCircle Network Security Inc.

"The GDI vulnerability is the most critical," said Amol Sarwate, the 
manager of Qualys Inc.'s vulnerability research lab.

"MS07-042 affects everything," said Don Leatham, the director of 
solutions and strategies at PatchLink Corp.

The only update that all three agreed should be moved to the top of the 
list was the one that patched a bug in Windows Graphics Rendering Engine 
(GDI). According to Microsoft's MS07-046 advisory, the GDI bug affects 
Windows 2000, XP and 2003 Server and a successful attack could give the 
hacker complete control of the PC.

"This affects a core Windows subsystem, and all versions except for 
Windows Vista," said Sarwate. "Unlike most other vulnerabilities, this 
one doesn't need an application, like Internet Explorer; all that's 
needed is a [malformed] image file. The only good news here is that this 
does not affect Vista."

PatchLink's Leatham cited the GDI bug as one of two he said should be 
patched immediately, and he rang the alarm even louder than Sarwate. 
"This has the potential to be as dangerous as the WMF vulnerability 
[from late 2005]," he said. "Microsoft makes it sound as if the typical 
exploit would come as some sort of e-mail attachment, but the GDI is 
used by about every single Microsoft application out there.

"Hackers will look at this like Nirvana, something this low level that 
they can use to target about every workstation in an enterprise," warned 
Leatham.

The WMF (Windows Metafile) vulnerability, a zero-day bug that hackers 
began widely exploiting at the end of 2005, was patched in early 2006 by 
one of the rare out-of-cycle fixes that Microsoft has issued. Even 
today, the WMF exploit impact on Windows users remains among the largest 
ever.

Eight other bulletins, however, will vie for administrators' attention. 
Some, said Storms, Sarwate and Leatham, should get that attention before 
the others. Here are some of the fixes each one of them singled out:

  * Storms: "The idea of virtualization is a really big thing in IT 
    today, and everyone who does it in the enterprise has the same 
    concern: Can the guest OS [in a virtual machine] affect the host 
    OS?"  For that reason, he put the spotlight on MS07-049, even though 
    the update was rated "important," not "critical." The No. 1 concern 
    of those running virtualization software in a corporate enterprise, 
    he said, is "How much can we trust the guest OS?" The bug patched 
    today could let users with administrative privileges on the guest 
    operating system run code on the host operating system, or even on 
    another virtual machine's guest operating system, according to 
    Microsoft.
    
  * Sarwate: "MS07-045 affects all versions of Internet Explorer. This 
    vulnerability is in the [Cascading] Style Sheets [CSS], which are 
    the building blocks of any site." According to Microsoft's advisory, 
    IE's parsing of certain strings in CSS is flawed; attackers could 
    exploit it by enticing users to a malicious Web page, resulting in a 
    full PC hijack.
    
  * Leatham: "MS07-042 affects everything." The vulnerability, which 
    exists in multiple versions of XML Core Services -- the component 
    that provides interoperability between several scripting languages, 
    including JScript, Visual Studio and XML applications -- affects 
    every supported version of Windows, including Vista. Microsoft rated 
    the bug as critical across the board. "There's so much going on with 
    XML in enterprises," said Leatham. "That's why this is so 
    dangerous."

Microsoft also patched flaws in Excel -- yet another vulnerability in a 
Microsoft Office document format -- Windows Media Player, the Windows 
Vector Markup Language (VML) and three of the Microsoft-made gadgets 
bundled with Vista.

"This is a good batch," said nCircle's Storms, but he didn't mean it in 
a nice way. "There are a lot of 'criticals' here, and on the trends and 
patterns side, a lot of what I call 'repeat offenders.'" By that, Storms 
meant new patches that Microsoft has had to lay atop code or components 
patched one or more times before. "Excel is a repeat offender, so is 
GDI. VML is too, and XML Code Services."

As usual, Microsoft's monthly updates have been posted to Microsoft 
Update and Windows Update services, and they can also be retrieved 
through Windows Server Update Services (WSUS). The necessary files can 
also be downloaded directly from Microsoft's Web site.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 23:26:42 PDT