Microsoft Fixes Glitches in IE, Multimedia, Vista

The high-priority fixes are in IE and Windows Media Format Runtime, along with a glaring hole in Vista security.

Microsoft's latest monthly patch set tackles critical vulnerabilities that attackers can exploit in the wild to target PC users.

Microsoft released seven security bulletins that addressed 11 vulnerabilities on its Dec. 11 Patch Tuesday. Of those, three bulletins containing seven client-side vulnerabilities are rated as critical and affect nearly all major Microsoft operating systems: 2000, XP, 2003 and Vista.

"The more alarming vulnerabilities are those in Windows Media Format Runtime and Internet Explorer, since a successful exploit could occur when a user visits a malicious Web page or when viewing a malicious e-mail. Neither issue requires any further interaction by the victim to exploit, compounding the problem," Ben Greenbaum, senior research manager for Symantec Security Response, said in a release.

Microsoft said in its security advisory for four IE flaws that it has received information that at least one of the IE vulnerabilities is being exploited in the wild.

Both Symantec and Shavlik Technologies' Chief Technology Officer Eric Schultze rated the four critical vulnerabilities in Internet Explorer as the most important for users to tackle. Microsoft addressed the vulnerabilities in its MS07-069 security advisory. All four new flaws in IE could lead to attackers taking over vulnerable systems.

The risk is rated critical for these flaws on all supported releases of IE except for IE 6 and 7 on Windows Server 2003, on which the flaws are rated moderate.

The flaws affect IE 5.01, 6, 6 Service Pack 1 and 7, to varying degrees. The updates address IE vulnerabilities on up-to-date Windows 2000, Windows XP x86/x64, Windows 2003 Server x86/x64/Itanium and Windows Vista x86/x64 systems.

The two other critical bulletins are MS07-068—which covers a flaw in Windows Media Format Runtime that could allow a remote attacker to take over a system—and MS07-064—an advisory that covers two vulnerabilities in Microsoft DirectX that again could give remote attackers the ability to execute arbitrary code on a victimized system.


Click here to read about why a Microsoft report on IE security brought a quick retort from Mozilla.

The Windows Media Format Runtime update affects supported editions of Windows Media Format Runtime 7.1, 9, 9.5, 11 and is for Windows Media Services 9.1. The DirectX update affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003 and Windows Vista.

Bulletins 64 and 68 are similar in that they both address vulnerabilities that involve users visiting malicious sites and getting attacked. The vulnerabilities are not actively being exploited now—at least, not to Microsoft's knowledge.

One of the vulnerabilities that Microsoft rated important is in fact being exploited, however. Namely, a local elevation of privilege vulnerability exists in how the Macrovision driver incorrectly handles configuration parameters. An attacker can exploit this vulnerability to take complete control of a vulnerable system. An attacker could then install programs, view, change or delete data, or create new accounts with full user rights, Microsoft said in its advisory MS07-067.

The Macrovision bug is a zero-day problem that's been around since October. FrSIRT reported on Oct. 19 that the trouble is a memory corruption error in the Macrovision Security Driver when processing user-supplied data. The vulnerability can be used by local attackers to gain so-called Ring 0 privileges and take complete control of an affected system.


That's bad. The term "Ring" refers to a protection ring of one or more hierarchical levels of privilege, with Ring 0 being the level with the most privileges and interacting the most directly with physical hardware, including the CPU and memory.

Macrovision patched the problem about a month ago in November, which is likely why Microsoft only rates the issue as "important" as opposed to critical, Schultze said. "If you deployed the Macrovision patch you're safe; it's the same patch that Microsoft is shipping," he said.

Beyond the critical client-side vulnerabilities in IE, DirectX and Windows Media Format Runtime, security researchers are giving Vista coal in its stocking: Out of the seven security bulletins Microsoft released, five affect Microsoft's newest, ostensibly most secure operating system.

The critical patches address vulnerabilities that could lead to system hijacking in all major Windows operating systems, including Vista. In addition, one of two important flaws in Vista has cropped up in SMBv2, a packet-signing security feature that was specifically rewritten to be more secure in its Vista incarnation.


"That's brand-new code that went through [the Vista] security-vetting process, and it still has this big security vulnerability," said Shavlik's Schultze. "It's not a good month for Vista—not a good year for Vista."

Other security researchers agreed that Vista doesn't look good at the moment. "The sheer number of vulnerabilities this month that affect Windows Vista is a concern," Greenbaum said in Symantec's release.

Packet signing is meant to keep Vista users more secure by guaranteeing the origins of a given packet, but in the case of the vulnerability covered in MS07-063, a remote user could spoof a Vista user's signature.

Pulling off an impersonation attack isn't very easy, though, which is likely why Microsoft only rated the flaw as "important," Schultze said.

Another important security advisory, MS07-066, involves a vulnerability in the Windows kernel that affects Vista. The flaw is an elevation of privilege vulnerability in the way that Vista's Windows kernel processes certain access requests. The vulnerability could lead to an attacker taking complete control of a target system. An attacker could then install programs, view, change or delete data, or create new accounts with full administrative rights.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.