Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    MS Patch Tuesday Fires Off 14 Critical Updates

    Written by

    Lisa Vaas
    Published May 8, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsoft has released patches for 19 vulnerabilities, 14 of which are critical, hitting at holes in Excel, Word, Office, Exchange, Internet Explorer, cryptographic technology and the whopper of them all, the zero-day vulnerability in the DNS Servers use of RPC.

      Michael Sutton, a security evangelist for Atlanta-based SPI Dynamics, said the “pretty high percentage” of critical updates on this Patch Tuesday is going to force a lot of system administrators to juggle updates, making decisions about which servers to update first. System administrators “cant take care of everything at once,” he said. “You have to look at severity.”

      Sutton said hes advising people to first focus on the Exchange and Domain Name System updates, given that those vulnerabilities will leave companies the most exposed to attack. “[Its a] challenge; when you have 14 criticals, youre putting some things secondary that are still top priorities,” he said.

      An exploit for the DNS RPC (remote procedure call) interface vulnerability was discovered in the wild in April. Within a week of its discovery, four new malicious programs popped up, each trying to take over systems by prying open the DNS hole.

      The DNS remote code execution vulnerability affects server-grade operating systems, including Windows 2000 and Windows Server 2003, and only those that have the DNS service enabled, such as Domain Controller, DNS Server or Microsoft Small Business Server configurations.

      Still, warned Symantec, based in Cupertino, Calif., enterprises and small businesses “should ensure [that] they update their systems with the patch since this vulnerability has already been exploited.” A successful exploit would completely compromise the computer.

      “As we reported in the recent Internet Security Threat Report, attackers are continuing to leverage browser and application vulnerabilities and social engineering tactics to gain access to computers in order to execute malicious code,” Oliver Friedrichs, director of emerging technologies for Symantec Security Response, said in a statement. “It is important that users protect themselves by updating their computers with recent patches, using common sense when connecting to the Internet and installing a comprehensive security suite.”

      Windows customers should immediately apply the DNS update, Microsoft said, to avoid the possibility of remote attackers hijacking their systems. The patch can be downloaded here.

      Another one of the most critical of the security updates, security bulletin MS07-026, affects Microsoft Exchange. It addresses a remote code execution vulnerability that affects the MIME (Multipurpose Internet Mail Extension) decoding mechanism of Microsoft Exchange Server 2000/2003/2007. The vulnerability can be triggered by a malformed base64-encoded attachment.

      The update covers several newly discovered Exchange vulnerabilities that have been privately reported. Sutton said hes guessing that the Exchange issue with MIME could well be an internal find on Microsofts part, which means that the exploit might not be in the wild anytime soon.

      “In that advisory, its interesting that three people are credited for three different vulnerabilities, and the only one that doesnt get credited is [the MIME vulnerability],” he said.

      /zimages/7/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      Microsoft said the most severe of the Exchange holes could allow a successful attacker to gain complete control of a system, after which he or she could install programs, view, change or delete data, or create new accounts with full user rights.

      Symantec said a successful attack depends on an Exchange user opening a malformed attachment. A compromised machine that hosts a vulnerable Exchange server could affect a large number of people, Symantec pointed out.

      Because Exchange is such a critical communication vector, this update could have wide impact for companies that havent worked out plans to roll out the patch midweek. Many companies rely on waiting until the weekend to patch Exchange because of the business disruption that comes from taking down e-mail servers. If an exploit surfaces between now and then, such companies could be in serious trouble.

      Don Leatham of PatchLink, based in Scottsdale, Ariz., said in an interview the week of April 30 that were this Exchange patch to involve remote code execution, it could have a serious impact on companies patch schedules. That, in fact, is the case.

      One PatchLink customer, Richard Linke, said in an interview the week of April 30 that he would be rolling out Exchange updates following the sun, using Australia as the guinea pig. “You cant take all [the Exchange servers] out at once, or everybody winds up not being able to do mail,” said Linke, an independent security consultant and former global security manager at Kraft Foods.

      Linke will be overseeing the update of 36 Exchange servers around the world. As far as the other security and non-security updates go, hes looking at updating 5,000 servers.

      Linke said, “[Well] notify regions of what times [well] plan to do it. As the sun rises in one place, [well make sure the] Exchange group server is done.”

      Microsoft recommends updating immediately, and the patch can be downloaded here.

      Sutton also noted “a ton” of file format vulnerabilities, both on this Patch Tuesday and cumulatively over the past 18 to 24 months. For example, an attacker will send a malformed Word or Excel file. Such files are used so commonly in the business world, Sutton said, that an attacker has a “decent chance of somebody opening that file and being exploited.”

      “[File format vulnerabilities] are something Microsoft is still struggling with,” Sutton said.

      Three of the critical vulnerabilities addressed in the May 8 security updates are illustrative of the file-format vulnerability trend. Those three are remote code execution problems found in Excel: a BIFF Record Vulnerability, an Excel Set Font Vulnerability and an Excel Filter Record Vulnerability. The Excel update can be found here.

      Another three critical remote code execution vulnerabilities that illustrate file-format problems have been patched in Word: a Word Array Overflow Vulnerability, a Word Document Stream Vulnerability and a Word RTF Parsing Vulnerability. The updates can be found here.

      Microsoft is also tackling six critical vulnerabilities in Internet Explorer. The vulnerabilities are found in a range of IE iterations, from IE 5.01 SP4 running on Windows 2000 SP4 on up to IE 7 on Windows Vista. Also affected are IE 6 SP 1 when installed on Windows 2000 SP4, IE 6 for Windows XP SP 2, IE 6 for Windows Server 2003 SP1 and SP2, IE 7 for Windows XP SP2, and IE 7 for Windows Server 2003 SP1 and SP2.

      The vulnerabilities consist of a COM (Component Object Model) Object Instantiation Memory Corruption, an Uninitialized Memory Corruption, a Property Memory Corruption, an HTML Objects Memory Corruption and an Arbitrary File Rewrite. The cumulative update can be found here.

      Microsoft has also addressed a critical vulnerability in the CAPICOM (Cryptographic API Component Object Model) and BizTalk that could allow remote code execution. The update can be found here.

      Finally, Microsoft has patched one critical remote code execution vulnerability found in Office. This problem, which could also allow for complete system takeover, concerns a Drawing Object vulnerability—yet another file-format vulnerability. The update can be downloaded here.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×