Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Tackles Vista, Virtualization Patches

    Written by

    Lisa Vaas
    Published August 14, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Patch Tuesday brings with it a host of security issues with Vista, issues with virtualization and a fun time for system administrators who deal with clients using some wildly popular Microsoft applications: Internet Explorer and Excel.

      On Aug. 14, Microsoft released nine security patches for 14 vulnerabilities, with six of the updates rated critical, in its biggest patch release since February.

      “With nine security bulletins, today is the second-busiest Patch Tuesday this year,” said Dave Marcus, security research and communications manager at McAfee Avert Labs, in a statement. “Many of the vulnerabilities addressed by Microsofts fixes could be exploited if a Windows user simply visits a malicious Web site. Microsofts patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits.”

      One thing that Microsoft failed to get out: an update that would address an ATI driver vulnerability that affects the Vista kernel. Microsoft told eWEEK that its now working with Advanced Micro Devices on a fix for that issue.

      All nine of the security bulletins pertain to what Eric Schultze, chief security architect at Shavlik Technologies, calls client-side vulnerabilities. That means a user has to take action in order to get attacked. In most cases that involves visiting a malicious site, reading a malicious e-mail or opening a malicious file.

      Read here about Microsofts $50 million investment in its Forefront security line.

      The good news: Server administrators running big server farms, with no users executing script that can install code onto their systems, have it easy. Their servers are safe, Schultze said, given that theres no vulnerability that can result in a Code Red or Nimba worm situation.

      Still, todays patch load is enough reason to disconnect your PC from the wall for a few weeks, he said, given that if you visit a malicious site, there are six ways you can get attacked.

      Starting at the top is MS07-042, a vulnerability in Microsoft XML Core Services that could allow remote code execution. This vulnerability, which can be exploited through attacks on Microsoft XML Core Services, involves a user viewing a maliciously crafted Web page using IE (Internet Explorer).

      That one, rated critical, goes hand in hand with MS07-043, Microsofts security bulleting regarding a vulnerability in OLE Automation that could also get your system hijacked. Users are vulnerable if they view malicious sites that contain attacks on OLE (Object Linking and Embedding). Both MS07-042 and -043 were found by the same researchers: An anonymous researcher working with the VeriSign iDefense VCP and an anonymous researcher working with the Zero Day Initiative.

      A third critical vulnerability is detailed in MS07-044, which addresses an Excel problem that could allow remote code execution if a user opens a malicious Excel file. Nothing new there—Excel security vulnerabilities are popping up regularly nowadays, Schultze noted.

      The MS07-045 security bulletin scoops up three critical vulnerabilities in IE that could get your system hijacked if you view a malicious site with the browser, given that a maliciously crafted page can trigger ActiveX controls on vulnerable systems. The flaws pertain to just about all versions of IE, including on Vista.

      Ms07-046 is another critical bulletin, involving a vulnerability in GDI that could allow for remote code execution. This one involves visiting a malicious site that contains an evil graphic. As soon as you view the graphic through a banner ad or on a site, the malicious graphic attacks your system. Microsoft has patched GDI multiple times already, Schultze noted.

      Amol Sarwate, manager of the Vulnerabilities Lab at Qualys, said -046 would likely be his top-priority patch to apply, followed by the IE and Excel patches, given the applications prevalence and the consequences of remote code execution.

      MS07-050 addresses a critical vulnerability in VML (Vector Markup Language) that also allow for remote code execution.

      MS07-047 deals with two important vulnerabilities in Windows Media Player—particularly, in the skins that make Media Play look pretty—that could lead to remote code execution.

      One important security bulletin, MS07-048, is notable in that the two vulnerabilities addressed arent in old code—theyre in Vistas Windows Gadgets, a new application that lets you run gadgets on the side of your screen that do things like display clocks or the weather or sports information.

      Page 2: Microsoft Tackles Vista, Virtualization Patches

      Microsoft Tackles Vista, Virtualization

      Patches”>

      If a gadget creator is evil, Schultze said, he or she can execute other code in that box on the side of your screen, given that the vulnerabilities allow anonymous remote attackers to run code with the privileges of a logged-on user.

      “If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system,” Microsoft said in its bulletin. No other operating systems besides Vista are vulnerable to this one.

      To read about Vistas top three support issues, click here.

      Finally theres MS07-049, a flaw thats only rated important but which researchers find very interesting. This vulnerability concerns the ability to elevate privileges in Virtual PC and Virtual Server that could allow a guest operating system user to run code on the host or another guest operating system.

      “While it is not the most severe vulnerability covered by Microsoft this month, IBM ISS considers MS07-049, the virtual machine vulnerability in Microsoft Virtual PC and Microsoft Virtual Server, to be the most interesting,” said X-Force Researcher Tom Cross in a statement. “Enterprises are increasingly embracing virtualization to simplify IT management and cut infrastructure costs. As this trend continues, were going to see attackers use vulnerabilities like MS07-049 to leverage control over one virtual host to infect others on the same server. This is a new kind of attack methodology that requires unique protection.”

      To exploit this virtualization vulnerability, a guest operating system does need administrative permissions to the guest operating system, Microsoft noted.

      Still, its notable, given that this flaw allows a guest to cross a chasm thats supposed to be uncrossable, breaking out of one machine and into another because theyre running on the same piece of hardware, Schultze noted.

      “Thats a big one if youre relying on virtualization,” he said. Microsofts Virtual PC and Virtual Server technology may be less widely deployed than that of VMware, but it is still used on plenty of production servers to host Web sites or other applications, he said.

      To sum it all up: As Paul Zimski, senior director of market and product strategy for PatchLink put it, this months Patch Tuesday “has headache written all over it.”

      The details of the patches indicate a broad spectrum of exposure, Zimski said in a statement. “The potential attack vectors exposed by these vulnerabilities include direct OS targeting (including Vista x32 and x64), fully-patched Internet Explorer 6 and 7, XML core services, Windows Media Player and Office. This is a target-rich environment for hackers. Organizations need to remediate these vulnerabilities as quickly as possible to avoid falling victim to quick turnaround exploits.

      “All six critical patches require system reboots. Along with two of the important patches, the critical patches all address vulnerabilities which, if exploited, could introduce remote code execution and allow hackers to completely take over a machine. This creates a nightmare scenario, and is not far off from complete administrator access—the favorite attack vector.”

      Indeed, some of the patches labeled “important” should actually be treated as critical, Zimski said.

      “For instance, #6 addresses remote code execution through Windows Media Player. This is only given a rating of important because it requires some form of user interaction, but many users browsing the Internet are viewing media. Even if an organization blocks certain Web sites or Active content, they typically dont block streaming media which could easily trick users into compromise if this vulnerability is exploited.”

      To get Microsofts downloads, go to the bulletin summary page for August 2007.

      Shavlik is having a Webinar for its customers to go over the patches on Aug. 15 at 11a.m. CDT.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×