Software // Information Management
News
11/13/2007
03:58 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Marks Light Patch Tuesday With Two Security Updates

The Security Bulletins mostly impact non-Microsoft Windows Vista products, but analysts warn against complacency.

Microsoft on Tuesday released two security bulletins, one rated "critical" and the other rated "important."

Microsoft Security Bulletin MS07-061 describes a publicly reported flaw in the way the Windows shell handles Uniform Resource Identifier (URI) strings. An attacker exploiting this vulnerability could execute arbitrary code on the affected system.

Microsoft first acknowledged this vulnerability on October 10. It has been publicly known at least since July when security firm Secunia published a security advisory on the flaw.

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said that it's a light month for patches but welcomed the URI fix. "A very critical patch was released," he said. "This patch addresses a security issue that's being actively exploited on the Internet. So it's important to get this patched immediately."

Microsoft Security Bulletin MS07-062 describes a vulnerability in Windows DNS Servers that could allow an attacker to spoof DNS requests and thereby redirect Internet traffic from legitimate sites.

The affected Microsoft operating systems include certain versions of Windows XP and Windows Server 2003. The spoofing vulnerability also affects Windows 2000 Server Service Pack 4.

In an e-mailed statement, Ben Greenbaum, senior research manager at Symantec Security Response said, ""We find the DNS spoofing issue to be of interest as well because it could allow, for example, attackers to send victims to a phishing site without the use of a phishing e-mail as bait."

However, Schultze said that for most of the world, this is a non-issue. "If you're a DNS administrator then it should be your top priority to get this patch installed," he said, even if the associated attack is beyond the means of the typical script kiddie.

Microsoft also re-released Microsoft Security Bulletin MS07-049 to address problems some people were having with the installer.

Finally, Microsoft said that a patch addressing a flaw in a Macrovision driver was available at the vendor's site. "As your probably also aware we recently released Security Advisory 944653 regarding a vulnerability in secdrv.sys, a SafeDisc driver, which is made by Macrovision and shipped in certain versions of Microsoft Windows," the company said on the Microsoft Security Response Center blog. "Macrovision has also released an Advisory and posted a manual patch to update the system driver, secdrv.sys, on Window XP and Windows Server 2003 systems, which is available at [Macrovision's site]. It's important to note that Microsoft Windows Vista is not affected by this vulnerability."

"I would not be shocked to see Microsoft release the patch later this month as an out-of-band release," Schultze said.

Despite the light patch-related workload this month, Schultze warned against complacency. "Consider it the calm before the storm," he said. "We don't know when the storm is coming but there's sure to be one."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, don’t look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.