Two Hot-Fixes for Patch Tuesday

In one of the least stress-inducing Patch Tuesdays in memory, Microsoft released just two security bulletins today, one "Critical" and one "Important."

The critical patch is something many IT pros had been waiting for over the past few months. MS07-061 protects against remote code execution exploits affecting multiple products: Windows 2000 Server SP4, Windows XP SP2, all versions of XP Professional 64 and multiple versions of Windows Server 2003, including both service packs for Intel Itanium processor-based systems, used mainly in enterprise environments.

Uniform Source Identifier (URI) manipulation is at the root of the exploits that Microsoft hopes this patch will squelch. The vulnerability is caused by the way Windows Shell handles specially crafted URIs. There are multiple attack vectors to consider, since the Windows Shell contains the entire OS interface presentation, including the desktop, taskbar, dialog boxes and application entry points.

"I say get patching, get patching immediately," Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said of the critical issue. "While I'm usually not concerned with client-side vulnerabilities, this is important because everybody's been waiting for this for a while."

Ben Greenbaum, senior research manager with Symantec Security Response, agrees, saying the profile of client-side attacks has risen over the last six months to a year and that Microsoft is responding accordingly with this patch.

"The (client side) endpoint has always presented some challenges for security, but this endpoint represents a numerous and diverse category to manage," Greenbaum said. "Hopefully this patch gives you less avenues as a hacker to install your code; certainly there's no shortage of vectors, and that makes detection and remediation that much more difficult."

The other patch, MS07-062, defends against Domain Name System (DNS) server attacks known as "spoofing." Spoofing, a sophisticated server-side attack, is less random and more targeted and malicious in nature. DNS administrators would do well to jump on this patch, even before the critical one, experts say.

"Victims of their own volition would be redirected to the attacker's site, entering in whatever sensitive info for the attacker's eye to see," said Symantec's Greenbaum. "The real short version of what's possible here is an attacker could redirect traffic to a machine that the attacker controls. The typical user would not notice any difference."

Windows 2000 Server, SP4 and every iteration of Windows Server 2003 are at risk.

Both fixes will require system restarts.

Microsoft also re-released an older patch, MS07-049, that closes an elevation of privilege vulnerability affecting Virtual Server and Virtual PC. The bits of the patch itself are unchanged; the alterations are to the installer code only, Microsoft said. Apparently, some users were having difficulty installing the patch.

As always, the software giant will release an update to the Microsoft Windows Malicious Software Removal tool. Redmond also said it will roll out three high-priority nonsecurity updates on Microsoft Update, but none on Windows Update.

Looking ahead, observers expect another light patch release next month ahead of Christmas, but say the action promises to pick up in earnest beginning in January 2008.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.