Those seven vulnerabilities cover the worst-hit applications. The July 10 Patch Tuesday saw a total of 11 vulnerabilities fixed in six security bulletins.
Analysts were warning about the critical .Net flaw ahead of the bulletin release, given the frameworks core role in supplying code to a vast array of Windows applications, such as in pre-coded user interfaces, data access components, database connectivity, cryptography, Web application development, algorithms and network communications modules.
Indeed, Web application security experts said, a critical .Net bug has the potential to affect pretty much all applications on all of Microsofts actively supported platforms.
As it turns out, the security patch for the critical .Net vulnerability resolves three privately reported vulnerabilities. Two of those flaws could allow remote code execution on client systems with .Net Framework installed, and one could allow information disclosure on Web servers running ASP.NET.
Dave Marcus, security research and communications manager at McAfee Avert Labs, said that the .Net bugs are easily exploitable, making them high-priority patches. "The vulnerabilities in the .Net Framework could be exploited through malicious Web sites," he said in a statement. "Simply visiting such a Web site would result in malicious code being installed on the victims computer."
The .Net vulnerabilities include a PE (Portable Executable) Loader flaw (CVE-2007-0041). The PE format is a format for executables, object code and DLLS thats used in 32-bit and 64-bit Windows operating systems. Its called "portable" because the format can be ported across all 32-bit and 64-bit Windows operating systems.
The format is a data structure that serves to encapsulate information needed by a Windows operating system loader to managed wrapped executable code, including dynamic library references for linking, API export and import tables, and more. PE is also the standard executable format in EFI (Extensible Firmware Interface) environments.
A remote attacker who manages to exploit the vulnerability in .Nets PE Loader could change the system with the permissions of a logged-on user. If a user is logged in with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
One mitigating factor for the .Net PE Loader flaw is that user interaction is required; a Web-based attacker has to host a site with a malicious page and lure a victim onto it in order to exploit the vulnerability.
Another mitigating factor can be limited user rights. Users running with restricted rights give attackers less ability to tamper with a system. Also, by default, supported versions of Outlook and Outlook Express open HTML e-mail in a restricted sites zone. That zone prevents Active Scripting and ActiveX controls from being used when reading HTML e-mail. But if a user clicks on a link within the e-mail, all bets are off; theyre still potentially vulnerable to a Web-based attack. Internet Explorer on Windows Server 2003 also runs in a restricted mode known as Enhanced Security Configuration. That mode sets the security level for the Internet zone to High.
The second .Net flaw is a null byte termination vulnerability (CVE-2007-0042) that can lead to information disclosure. A successful attacker could use the flaw to bypass the security features of an ASP.NET Web site, after which he or she could download the contents of any Web page. A mitigating factor in this case is that Web applications developed with ASP.NET that restrict all untrusted input variables, including null bytes, to a range of expected values or characters would not be affected.
Microsoft says that a workaround for this bug would be for developers to compare Internet accessible values such as query strings, cookies, or form variables against a list of allowed values and reject any other values that fall outside of this range.