Microsoft's Patch Tuesday Targets Seven Vulnerabilities - InformationWeek
Software // Enterprise Applications
02:56 PM
Connect Directly
[Cybersecurity] New Methods for Managing the Skills Shortage
Jun 06, 2017
In this webinar, security experts discuss methods for doing better security with fewer people, inc ...Read More>>

Microsoft's Patch Tuesday Targets Seven Vulnerabilities

The critical vulnerabilities patched this month exist in Microsoft DirectX, Windows Media File Format, and Internet Explorer.

Microsoft on Tuesday issued its December security update, addressing seven vulnerabilities.

Three of the vulnerabilities are rated critical. They could allow remote code execution if exploited. Four of the vulnerabilities are rated important.

December's update follows an unusually light November update, which fixed only two flaws. Microsoft's October patch dealt with seven flaws.

The critical vulnerabilities patched this month exist in Microsoft DirectX, Windows Media File Format, and Internet Explorer.

"These are critical because user intervention is required but no credentials are required for the vulnerability to be exploited," said Amol Sarwate, manager of the vulnerability research lab at Qualys, a vulnerability management company.

Sarwate noted that two of the vulnerabilities, MS07-063 and MS07-067, addressed zero-day vulnerabilities.

"Today what's noteworthy is that of the seven bulletins, five of them impact vista," said Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "Two of them are specific to Vista and affect only Vista. This month, it looks like Vista is the big loser."

Bulletin MS07-063 addresses a vulnerability in Server Message Block Version 2 (SMBv2), a technology that implements the digital signing of packets so two computers can be sure that they're talking to each other. The flaw could allow an attacker to forge packet signatures.

"This is listed as important and its Vista only, but it's essentially a security feature that Microsoft put into Vista that's allowing this vulnerability to exist," said Schultze. "It's a security feature gone awry."

Bulletin MS07-067 fixes a flaw in the Macrovision secdrv.sys driver in Windows Server 2003 and Windows XP that has been known for three months and, according to Schultze, is being actively exploited. Macrovision offered a driver update to fix the problem last month.

Microsoft also on Tuesday released Microsoft Office 2007 SP1, which improves performance, security and stability for the company's popular productivity suite.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll