Microsoft Tackles Vista, Virtualization

By Lisa Vaas  |  Posted 2007-08-14 Print this article Print

Patches"> If a gadget creator is evil, Schultze said, he or she can execute other code in that box on the side of your screen, given that the vulnerabilities allow anonymous remote attackers to run code with the privileges of a logged-on user. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system," Microsoft said in its bulletin. No other operating systems besides Vista are vulnerable to this one.
To read about Vistas top three support issues, click here.
Finally theres MS07-049, a flaw thats only rated important but which researchers find very interesting. This vulnerability concerns the ability to elevate privileges in Virtual PC and Virtual Server that could allow a guest operating system user to run code on the host or another guest operating system. "While it is not the most severe vulnerability covered by Microsoft this month, IBM ISS considers MS07-049, the virtual machine vulnerability in Microsoft Virtual PC and Microsoft Virtual Server, to be the most interesting," said X-Force Researcher Tom Cross in a statement. "Enterprises are increasingly embracing virtualization to simplify IT management and cut infrastructure costs. As this trend continues, were going to see attackers use vulnerabilities like MS07-049 to leverage control over one virtual host to infect others on the same server. This is a new kind of attack methodology that requires unique protection." To exploit this virtualization vulnerability, a guest operating system does need administrative permissions to the guest operating system, Microsoft noted. Still, its notable, given that this flaw allows a guest to cross a chasm thats supposed to be uncrossable, breaking out of one machine and into another because theyre running on the same piece of hardware, Schultze noted. "Thats a big one if youre relying on virtualization," he said. Microsofts Virtual PC and Virtual Server technology may be less widely deployed than that of VMware, but it is still used on plenty of production servers to host Web sites or other applications, he said. To sum it all up: As Paul Zimski, senior director of market and product strategy for PatchLink put it, this months Patch Tuesday "has headache written all over it." The details of the patches indicate a broad spectrum of exposure, Zimski said in a statement. "The potential attack vectors exposed by these vulnerabilities include direct OS targeting (including Vista x32 and x64), fully-patched Internet Explorer 6 and 7, XML core services, Windows Media Player and Office. This is a target-rich environment for hackers. Organizations need to remediate these vulnerabilities as quickly as possible to avoid falling victim to quick turnaround exploits. "All six critical patches require system reboots. Along with two of the important patches, the critical patches all address vulnerabilities which, if exploited, could introduce remote code execution and allow hackers to completely take over a machine. This creates a nightmare scenario, and is not far off from complete administrator access—the favorite attack vector." Indeed, some of the patches labeled "important" should actually be treated as critical, Zimski said. "For instance, #6 addresses remote code execution through Windows Media Player. This is only given a rating of important because it requires some form of user interaction, but many users browsing the Internet are viewing media. Even if an organization blocks certain Web sites or Active content, they typically dont block streaming media which could easily trick users into compromise if this vulnerability is exploited." To get Microsofts downloads, go to the bulletin summary page for August 2007. Shavlik is having a Webinar for its customers to go over the patches on Aug. 15 at 11a.m. CDT. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel