Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Patches 4 Critical Flaws



 By: Brian Prince
2007-04-10
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: On the heels of an out-of-band security update, Microsoft issues patches for additional "critical" flaws.

Patch Tuesday has arrived, and brought with it patches for a number of security vulnerabilities rated "critical" by Microsoft.

The four updates considered critical deal with remote code execution vulnerabilities in Microsoft Agent, the Universal Plug and Play service, Content Management Server and the Windows Client/Server Run-time Subsystem (CSRSS). A fifth update is rated "important" and addresses a privilege elevation vulnerability that exists in Windows Kernel due to incorrect permissions on a mapped memory segment.

This flaw cannot be exploited remotely.

The five bulletins released today contain fixes for a total of eight vulnerabilities, and come on the heels of last weeks out-of-band update. To Don Leatham of the Scottsdale, AZ-based security vendor PatchLink, the fact some of the vulnerabilities affect Vista is proof that while the new OS features security enhancements, users should not get cocky.

Resource Library:
"Jumping immediately to Vista increases your security but it does not make you invulnerable," said Leatham, PatchLinks director of security solutions, in an interview with eWEEK.

The Symantec Security Response rated the Microsoft Agent vulnerability to be the most critical of the security bulletins because a successful exploit could allow an attacker to install malicious code and potentially gain complete control of the affected system.

The vulnerability affects the Microsoft Agent ActiveX component of Microsoft Windows 2000, Windows XP and Windows Server 2003, but does not affect Vista.

To exploit this vulnerability, an attacker would have to convince users to visit the Web site.

"Symantec views these patches as critical because there is an increased potential for exploitation since these vulnerabilities affect multiple versions of Microsoft Windows, including Windows Vista," said Vince Hwang, group product manager, Symantec Security Response.

"Symantec always recommends that users download the available Microsoft patches to mitigate the security risks and to optimize and protect their systems from attacks."

Other security specialists deemed the patch for the CSRSS vulnerabilities as equally or more important, noting all three CSRSS flaws affect Windows Vista and prior versions of Windows. A remote code execution vulnerability exists in the CSRSS process because of the way that it handles error messages.

Two other flaws involving CSRSS—one dealing with how it handles its connections during the start and stopping of processes and the other how it handles error messages—were also patched. Neither of those two flaws, however, can be exploited remotely, according to Microsoft.

"The most interesting thing about this vulnerability [MS-07021] is that we have a CVE on Dec. 21, 2006 and a Microsoft Security Response Center blog posting on Dec. 22, 2006 on this same vulnerability well in advance of Vistas release in January 2007," said Andrew Storms, Director of Security Operations at nCircle in San Francisco.

Microsoft ANI patch causes problems with third-party apps. Click here to read more.

Microsoft has also fixed two flaws in Microsofts Content Management Server, a product that allows customers to build, deploy and maintain Web sites. One is a problem in how HTTP requests are handled, while the second is a spoofing or cross-site scripting vulnerability caused by the Microsoft Content Management Server not completely validating input provided in an HTML redirection query before it sends this input to the browser.

Another remote code execution vulnerability exists in the UPnP service involving the way it handles specially crafted HTTP requests. An attacker who has successfully exploited this vulnerability could run arbitrary code in the context of local service, according to Microsoft.

Michael Sutton, Security Evangelist for Atlanta-based SPI Dynamics, urged businesses to move decisively but cautiously when rolling out updates.

"Internal testing is required to first ensure that the update does not conflict with any third party or custom built applications," he said. The days following a patch release present significant risk for corporations. Once details of the vulnerability are available, the clock starts ticking between attackers attempting to develop exploit code and corporations trying to successfully deploy patches. Its a winner take all race to the finish."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Microsoft Patches 4 Critical Flaws
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks8q8c"#dK-ě[HH"$e[3wro7%?2s h4{$sG3L{B.cnQ?sOuޙ'w6{R(%GFgP+N-w5 E]0eNFNv@\}@^sF"wD!H/ԞTa@]2d4;s6!7esM/cߨ&`&`1\tl8lTl@!j:a?XX$1qH Ñh] \(>߱L㈄-:;|w*EFN838Ӽi/Da)lTHUb&{By<%;^6;FqB {.Y^Z␌,GZEX'/[vx1B!"BτwKA%˙8I@ؓ&Iuh m5r'ӨRcb#9Qހ]ݱ&R,RE͌iAw4ԬkScG 7GCLH<~0[QM9$7 V\jRNX0'C8:)X ۱2˭]6e5^G~;mgE5GlR" =y74JaHO LE7rؗCY֌aE-S4uHUZ+R^(Տ}޴ ޷L{`Ryݙ EU E{v#,;܎6ගESq={r9?'7;AW;YJL~'@DrT*,ID>&-ԆNI_H5}(D~oZzQ-GjR;ғ4f3}3-iH,-?Z:u!usX&R*CA-At֬?c;Szqsھy^{7}rڻ&Iř{F0@qgs jm pOy5HYz>540V+%%vdCԺt|=!9Io'?پBds#$7R(y#0ri4(-ߖAfw[ a7tBmҔj )B!aF`usn5r'@̀kifkPXT`k4R 9lb vfyP:?o dr!CCj9nVȨESAB!I F 'LlO|yx!zY]U'dauEUi3[fhnϱ'Nk&e.:~C8^$glh|*$]ezrcZԶWjGdvTR8-b(WZ`Lm41,Ltͭ y0贁;mF_{3jYcv"5d}4>ljACA4icŦ4@ӧ&hCҋ:LZ w|H[ sX >$n#AE%i-DCw PIe&3@yGALνbrgm͠~(wMnHi>h^0hp.ppYY?90@]qksB7}`@jkwii#1).aHd˵NK] cRR,H I#r*B1l`@n! P,Ћr)l׀ry !sg r\B=7^ ˥>*-qR% 53TYNjL=?뺾n3!~G,[E`z9r,T.k 6JԭyRpJ >Ѥ53 [ܺM -؂ H[%LEw\,t+AP91!n;A뎒\V3,+X5{0qycY@{jwtӲ٦͙iÆqjS_a! eBC`>.{S^jkȓ,-~K{]ذr {2  yvw[=&n0|$<2_O#i[} e~hB=Ss&A|5i!3'Xefڠӣ(!w1JiX$ U)3r&\$2n|N -XЁUrsXkjpp1vV=% Υ_8ͧםe+@oÄ&9QKe!6(c}ji-6!ӞWʈ>,Z!?r(1IO5@&^`Gm d*9Ц-PcY}6bDm"k(-ER&=G5MH85G[τOAU 88qx3??4X)0,Ly. >Fc`'|\scItP&ʰm8Zzq&$KDX(T4q ֚0̈́O5O_c>Ѐ!ak&A>4b66\,0|"j*:VH00l@:hRԒxZC@^~~ JIheH}=4nj}3ʫ2 yYVj qlE)WJJZ =62z4Ebwc:1о<_[ q˻S ?ӇhÿOCzCp`>3@|G>O,{'ЌȐvX ʌB?C4B~^ YpwQD@)%X ӣzpto散) nr4tq\3@$76}}v~:N(uX89'&b)FGtlɂtx! 2h:ln`wY0>AC5"耰 {3E6(56o;@+%5-| JI1H%kSsGŕR6#n71SZ`fzž,n(jVT+km7xAW܇v1"xሣ5T6ӝMt8&ڳ"jJ ~vsTtx9kZ%qf+FLY5=:YCҐ,,O3(~ (\{C>ku uAL>q\TS,.=MXJ?YX^cC`t>X8'?lgH # +So~.RH##I q gwPDb n gzDssbh^f>A%&BP`&w,Oo@V ~5}>μ]͎\~gQV M=8;$Ec.i{+f^;.y0N 0޿V Ї_eCR>"-u/Z:b8K!,Uރ 2`i4Ajx{DC}?JfWJ۫Vݽ ]:layt:x0\O!9аqo0]8K%y;"ˎu oлw9"xP!λ.Y G}99ﴮ OM1&05hȜ@)st_z0lzB_KݹĂ~K՜$"Z*sON3$nX,*~q);coM1w~mm`!旁ސPZ#  G@R`OH5['#yKtc;-38ǞZhh !酘:e}E/c)%Q\(h"9]8Q%lw FWE'k'{-$2}m1ў.W` eڃ͟ɼ.Vrۨ'I Nn|9p_<@#ppz Pxc.A)H7ܹJ9$S0QJ"g8NE;)~ڲ/Y(^Hc˹? {vN){ GQغCO[ ̫],mg̐s$SJ)ҤX BgJȄa{e%)a5R!MLEYOE/D$f;Bz{ giMN.m2ϼ Kvn+7; VH_8_`tOZB HY)o9yb}@N^MJpUK ŏ]xm a%]9$gy/вo*zUb۽msE;-v<6Sf  eFoP/[gY.40soCd#ޓd=fL[ S&`<U-w6OJE{lh]G(Pv4q5ܘxk3eȥ'q="~/ gwUv@r@Px~6YnYu9<|M-/^Ss>]ej @OKtG]_ Q{O{[#60N Ģ7i62cSOR1\XBki62> ZA#XؑrbLd$J;oݭn \ B;BJ <$N#>[42]CnMk#Ǵ§ ,'iƿ'ʫqVԱQ*2$;lߖc3Ocpߍ_k ]5pc[__bBj{nnal_oލ<t(ı߂[dZ:GM yDu4JQa&F/z{_p[05Ǜb~J )@\@t?թ7ZS~=իᨃ1Kt^7Sر9ޱ#3wx}zZn* {!4~2uSМ7on]kcAժB <\N>R}ҺnѤK.д|B%Lh/K/&Y&@ލ >C^<Y%=:^f'J%+ #XIǦ7Xs΃ j_紵yn@ U+JZJ&I –8IVeӓJcʻ,-U!/L*恐8@0ɗz'>lpLZ DA]ޚRMDD4AX$l9Cf^Mܽ2Bl=/'V|M -d#/1>l$D˓̨teqw1v<ۑZVJx #X @P|yZON@[/W$6>`%iw|i0ŐšR@ ԕ FҷJcg"wGFwÊtX}E:~mE|  !!v;$u@oD*m;UvTmyMp3f3#7777X-Pz8M/oE J7/],A5Tk#&,P\,VyyQX=,ی*~ [ΏR!z~x( x.iR5DtMٮUK mKQݼ4{i!9'$ aAu0J{%sp|^-IlS8S)- ,OŔ?<tӺT!ײ 4|LpV'  (|1P[i7h%|IQ %) ӅřKBjg0c* V۰EWxw/I /i 9f3y;z /ڒN_̶H]{iVǻrBbt=dԳ)/4{Ra@ *Hflsa{!Dۅ' J[ϋYZc9I{UEQZO۫y>IXYM nè[ݒ^+.'s3zAh>hޱiO8qIz$B"|0P+^d|k ד0"a7wdCfɽp----!eXտme TR҅UZs Yu`dzh18-Ӡq$2+OD8$<يOC gA2DPl8. 2ä="Lam?>Y?͠#tI};d??~܋w!?3 я{ 0TXT#0AƵH÷RH@M)t~ ǝ@ rϏ٣-?  T֜rc[a>8TUjձv1c)M[3+pU vra"{%9p07 LX8~܋k"RPi!Fԏ{Kb+xJ7{F$hkkJ%A5V9MJ-9#S^a,R kp΃(L,Tw<ƽ7‹/͛I~oY+CC4m.951E>R>&sj|Z-ԕ|咿%:^Yr: ZMx n  "r\Io$TC '-r(MGZJ>A>?0}VSLx!Vy ?Lm =q,vX5{,s3eizQ':Ƣr /{A$y ck?tkelM/ ')3"[7\Zh 0>5)lKW+V+H-JR;r/ _S UVRA;Cwm/` 4TOdG>yԑ8mx##/RVIyւ +U؀>l|<630qb#>(vBAfɿ_b~x Al; sXx[Mw-=#zit0! ,_=o4xޝJ߶$|ͱɂofs[OyَU݆[kn3r959S\mD 96Z_a8Rm{Ω ΒLq ʹG[Vj湐.04&n'SX肜ifc|>Mx{ Rp`߷b~usYl:-h%mf^6xlt95x*cPH1_*j@(eiir'&'G졢Vo/>QH oGZ !ߕ߉tgZtM80* >~"7A6po2zS,TZ~K";{h:Mx\Lu _"a< w{y̤7fy@͜2 rIe+փފ> 3A@:-u@ y2vAf.B0 /!N ꞓM3thaȈ4p(M$a{mޛEF@c10 > cwOmd|֐D ]TVZAfx!:\Ko@aqh x?qa%?Er6Б`5b'r{L~7:7/z_ chT`sԪߩ͘d5B&(qik8<4>|?_iN0- ‚5"t~d 01W1/aں5g+bvr]? Y_j Ot@>WZj !1g昱Gi>'_/J (`,×)vqU@y+DL]zDG׆m~bI *͕$\}~'`:xPc# .E.[a8= S};1l]]!k"ם:\w%9nJoWj(;urһrڽ\]w/橉30kym21^ Γ^9l]t283Ks!Yx9K x5< /Eyx&0Xf/AwpD0/* F^-Àec n_w}5-;YWG>tɉcdHw>>jZ (CrYi8\(:hOvɀ.;fRZl<##ȿ'-VF~{HmA'O? nyݜmvF>?t/3݌_ s+ʘ E/E|E~/?_d">/>/2y2c!sFe 0{ s?0׃2ː?=/ rqAWP*5uO0kF>1 l)>C|}} dd  M%:IX g+8=r gs z)W@^dկ?e4#R zvA^eR51 ௟ߗdlڽ:鵓 q)•x^U^xڙiQqۭMP+G{2Ti k{yH J r hxWYdRd b{Xe?~V,$=)>7槤Jxϕ]B&;JػRo,lcENZ9&yQgΒ'8V0'fY !,E5 ^Uނl>܃fcp2 #GYȘkOV/3iKЈw3+ =y&9݆ϻL>#a0.: 7X.[ZG|ţ;TumaPsqdmoqކrIڟ'+?u>wzP[sԙqW֢@)zyXkLg4}eRևɧ K !Qd,m4q< 9sQu8 % ~HM3wNR?аs|욮SjC UG7qTѰ8&f uDɹT)jIoR-W+俒kD2z@tb 3R 5W9 طVR`"8! T:QȀFuo*%N0fy=qӐa1VoћBDO"ħm!b+X# ڼx[T!;7 5@)GP` K؞::^G,'r r!gMߟSǽd 6V{I[h7辥P:A=d4hjy }b0p9+hw `{ԑ}z8~7mJN x-&7:\>|# .Lemzy;w08*,dpdٴđ] %(V@|sS 5Fd#Mr5XwNCX`w|,"AIk.Y?0 =#CPСt ':B>k&| t (6-K? `ީ`wƨլ])"!kyM+|$ SfAL qwL/jk>M45~ɱdL(1 kEF(t#bybrQ\Br/O>m 'Nsؖ?fu|qfk6d1|vu7Lᒿ'/R^ۍVY:!ZnrxًŒb22FƻB|(pIDj*ާMLfu 61-dx$=s}vP70 > !>!{Dx48 " 2kHH 2s{B|'؂Z{JfAMKYcӄ0^8ᯘٝVX"WdԢԱQ#tH߱ =8_G1a`a?>N@6AыpO`Ƶ{B=hϑt$,Z8:Z5m$=IKh4[5b8gKJҦwr\ 뱻$֭0\"gzܤ;K^n ӧRǞ,HIBO/C3/bz`#8}k,X̨D ,[K|IGnX0";>m`>Lc'LXfc.Lc0ŴBChI -(P?'knx# e`}`ghBS0Ry4s*>`H6A1<;Z>K:ׁݞVo (o}8l//l4hM@(DPF->D+7agLJ B C&\[Yc"sEt䘲%(Xp^'A63w6E~bȱȎlyJ./՜GċOgxeѵh_Q;Y?] 瑞m-1k8~mA=fe,+U[f:ePeX!o'ᠢ׀%V`9"I_S|8N=TÃGHȸ׬[[ q~6`1<Ш1DLmvE9bꛦ\PpKؕEld3kgycD]Y>;Ѝ O11ngFb  fφŀ𞭟n{L16 af+1ݱOUt c)dv̄6 !yyuvҕ ^襸ɍIac^d;+)ؐs{OHbO1lF Tv7`F*)AuҰO· xs+2)Oq,EGJ^d'KU̱ &7=wKpF ]<A CaXqk @rcodi-=n|ptٖ‚҂&!۝4!jɂ^޿`*X8Ml\㍿cP1Tߛi4V~$7Eѓem.^(Պ[kvB[W셫Qbm٦di29Z}) q֫46=v[;6aNw6~ЄM'^vesgH*