Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Patches 4 Critical Flaws

    By
    Brian Prince
    -
    April 10, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Patch Tuesday has arrived, and brought with it patches for a number of security vulnerabilities rated “critical” by Microsoft.

      The four updates considered critical deal with remote code execution vulnerabilities in Microsoft Agent, the Universal Plug and Play service, Content Management Server and the Windows Client/Server Run-time Subsystem (CSRSS). A fifth update is rated “important” and addresses a privilege elevation vulnerability that exists in Windows Kernel due to incorrect permissions on a mapped memory segment.

      This flaw cannot be exploited remotely.

      The five bulletins released today contain fixes for a total of eight vulnerabilities, and come on the heels of last weeks out-of-band update. To Don Leatham of the Scottsdale, AZ-based security vendor PatchLink, the fact some of the vulnerabilities affect Vista is proof that while the new OS features security enhancements, users should not get cocky.

      “Jumping immediately to Vista increases your security but it does not make you invulnerable,” said Leatham, PatchLinks director of security solutions, in an interview with eWEEK.

      The Symantec Security Response rated the Microsoft Agent vulnerability to be the most critical of the security bulletins because a successful exploit could allow an attacker to install malicious code and potentially gain complete control of the affected system.

      The vulnerability affects the Microsoft Agent ActiveX component of Microsoft Windows 2000, Windows XP and Windows Server 2003, but does not affect Vista.

      To exploit this vulnerability, an attacker would have to convince users to visit the Web site.

      “Symantec views these patches as critical because there is an increased potential for exploitation since these vulnerabilities affect multiple versions of Microsoft Windows, including Windows Vista,” said Vince Hwang, group product manager, Symantec Security Response.

      “Symantec always recommends that users download the available Microsoft patches to mitigate the security risks and to optimize and protect their systems from attacks.”

      Other security specialists deemed the patch for the CSRSS vulnerabilities as equally or more important, noting all three CSRSS flaws affect Windows Vista and prior versions of Windows. A remote code execution vulnerability exists in the CSRSS process because of the way that it handles error messages.

      Two other flaws involving CSRSS—one dealing with how it handles its connections during the start and stopping of processes and the other how it handles error messages—were also patched. Neither of those two flaws, however, can be exploited remotely, according to Microsoft.

      “The most interesting thing about this vulnerability [MS-07021] is that we have a CVE on Dec. 21, 2006 and a Microsoft Security Response Center blog posting on Dec. 22, 2006 on this same vulnerability well in advance of Vistas release in January 2007,” said Andrew Storms, Director of Security Operations at nCircle in San Francisco.

      /zimages/2/28571.gifMicrosoft ANI patch causes problems with third-party apps. Click here to read more.

      Microsoft has also fixed two flaws in Microsofts Content Management Server, a product that allows customers to build, deploy and maintain Web sites. One is a problem in how HTTP requests are handled, while the second is a spoofing or cross-site scripting vulnerability caused by the Microsoft Content Management Server not completely validating input provided in an HTML redirection query before it sends this input to the browser.

      Another remote code execution vulnerability exists in the UPnP service involving the way it handles specially crafted HTTP requests. An attacker who has successfully exploited this vulnerability could run arbitrary code in the context of local service, according to Microsoft.

      Michael Sutton, Security Evangelist for Atlanta-based SPI Dynamics, urged businesses to move decisively but cautiously when rolling out updates.

      “Internal testing is required to first ensure that the update does not conflict with any third party or custom built applications,” he said. The days following a patch release present significant risk for corporations. Once details of the vulnerability are available, the clock starts ticking between attackers attempting to develop exploit code and corporations trying to successfully deploy patches. Its a winner take all race to the finish.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×