Patch Tuesday -- Block Critical Vista IE7 Flaws

It's the second Tuesday of the month and that means it's "Patch Tuesday," the day when Microsoft releases all of its scheduled bug patches for June. Besides a batch of "critical" patches, this month also heralds a new patch alert bulletin format.

At first glance, the new bulletin layout looks a little cleaner. The question will be whether it's actually more useable over coming months. My initial take is that it'll seem a little confusing at first.

This time around, Microsoft has patched five critical holes in Internet Explorer, one in Windows online security, and one in Vista's Windows Mail. (MS also patched a critical security hole in Windows' Win32 application programming interface or API, a part of Windows that provides services to all 32-bit Windows applications, but isn't giving any further details as to what it is.)

Probably the most important of the group is another "cumulative update" for IE, which among other things, patches two ugly bugs in IE7 when it's running on Vista. The update is rated "critical" on almost all "supported" versions of IE, from 5.01 running on Windows 2000 Service Pack 4 through IE6 and IE7 running on Windows XP, besides Vista.

While only two of the bugs in IE affect Vista, all five holes also critically affect the earlier versions of IE so it's a good idea to make sure and get the patch. As I've said before, when Microsoft rates a hole as critical, that nearly always means that you could be subject to a drive-by download or an equally nasty experience just by visiting a malicious site or clicking on a poisoned link.

Often the component that supplies an entry for the bad guys has little to do with what you actually see. In this case, for instance, both of the holes that affect IE7 on Vista are in the way IE uses your PC's memory, and one of these is in a part of IE that supports speech control. (But trust me, you don't even need a microphone to have that bug bite you.)

As always, if you have automatic updates enabled, you should get this and the other patches in fairly short order. If not, make sure and update manually. More information and the patch is available at Microsoft Security Bulletin MS07-033.

Vista is also at risk from a hole in Windows Mail ? one that also affects Outlook Express. Note that this patch is only rated critical for Windows Mail, however. It's rated "important" or "low" on Microsoft's four-tier severity scale for Outlook Express versions.

If you're running Vista and click on a booby-trapped link in an e-mail message, you could be subject to a complete takeover of your PC. What's scary about this one is that hackers had already posted a simple proof-of-concept exploit on the Web by the time Microsoft got the patch out.

Again, if you have auto updates turned on, you'll get this patch automatically. If not, or if you'd like to get the patch sooner, go to Microsoft Security Bulletin MS07-034 for more info and the patch.

For those of you still running Windows XP (pretty much everyone, I bet), you'll also want to plug a critical hole in the way XP Service Pack 2 (remember, Service Pack 1 is no longer supported) validates server-sent digital signatures.

The flaw lies in what's called the Windows Secure Channel Security Package and revolves around the way it handles Secure Sockets Layer (SSL) and Transport Level Security (TLS) interactions between your PC and a server. These are encryption methods for handling secure communications of all sorts, including instant messaging or password entry, for instance.

What security mavens call the "attack vector" (meaning, the way you could be successfully attacked) would be one I'm sure you're familiar with by now: you might click a malicious link in an e-mail message or visit a compromised Web site. And then, the attack program would spring its trap.

Microsoft says that in most instances, this would just result in your IM client or browser (or other application) crashing in what's called a "denial of service." But in some instances, once again, this could lead to the complete compromise of your PC. Luckily, by the time Microsoft issued the patch, there had been no proof-of-concept exploits published and no actual attacks "in the wild."

Don?t wait, get the patch automatically or via Microsoft Security Bulletin MS07-031.

Finally, as I said earlier, Microsoft is saying little about the Win32 API bug other than that it's critical and that it involves not correctly validating parameters sent to the API via a function call. That's pretty obtuse but usually means that a cracker tricks the program by, for example, telling the program to expect 10 items and instead sends it 11. Because there's no override in place, the program freaks out and that leaves the door open for a follow-on attack program to take over and run itself on your PC. All in all, a formula for a drive-by download or worse.

This one is rated critical for all supported versions of Windows from Windows 2000 SP4 through XP SP2(Vista is not affected). There haven't been any attacks or published exploits yet, but I'd say get the patch via Microsoft Security Bulletin MS07-035 if you don't have auto updates enabled.

Comments

Post a comment Post a comment

0 / 1000 max characters