Microsoft Security Bulletin MS07-061 describes a publicly reported flaw in the way the Windows shell handles Uniform Resource Identifier (URI) strings. An attacker exploiting this vulnerability could execute arbitrary code on the affected system.
Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said that it's a light month for patches but welcomed the URI fix. "A very critical patch was released," he said. "This patch addresses a security issue that's being actively exploited on the Internet. So it's important to get this patched immediately."
Microsoft Security Bulletin MS07-062 describes a vulnerability in Windows DNS Servers that could allow an attacker to spoof DNS requests and thereby redirect Internet traffic from legitimate sites.
The affected Microsoft operating systems include certain versions of Windows XP and Windows Server 2003. The spoofing vulnerability also affects Windows 2000 Server Service Pack 4.
In an e-mailed statement, Ben Greenbaum, senior research manager at Symantec Security Response said, ""We find the DNS spoofing issue to be of interest as well because it could allow, for example, attackers to send victims to a phishing site without the use of a phishing e-mail as bait."
However, Schultze said that for most of the world, this is a non-issue. "If you're a DNS administrator then it should be your top priority to get this patch installed," he said, even if the associated attack is beyond the means of the typical script kiddie.
Microsoft also re-released Microsoft Security Bulletin MS07-049 to address problems some people were having with the installer.
Finally, Microsoft said that a patch addressing a flaw in a Macrovision driver was available at the vendor's site. "As your probably also aware we recently released Security Advisory 944653 regarding a vulnerability in secdrv.sys, a SafeDisc driver, which is made by Macrovision and shipped in certain versions of Microsoft Windows," the company said on the Microsoft Security Response Center blog. "Macrovision has also released an Advisory and posted a manual patch to update the system driver, secdrv.sys, on Window XP and Windows Server 2003 systems, which is available at [Macrovision's site]. It's important to note that Microsoft Windows Vista is not affected by this vulnerability."
"I would not be shocked to see Microsoft release the patch later this month as an out-of-band release," Schultze said.
Despite the light patch-related workload this month, Schultze warned against complacency. "Consider it the calm before the storm," he said. "We don't know when the storm is coming but there's sure to be one."
The Agile ArchiveWhen it comes to managing data, don’t look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyIT’s tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.