Microsoft Patches Critical Windows FlawNovember 16th, 2007 - 9:11 pm ICT by admin
Microsoft released two security updates on Tuesday to patch two vulnerabilities, one rated “critical” and the other “important.” The small number of November updates contrasts with the series of Patch Tuesday summer releases that numbered as high as 17 vulnerabilities.
The critical vulnerability addressed on Tuesday could be exploited through malicious Web sites, while the important-rated vulnerability could make way for hackers to redirect Internet traffic from legitimate sites to fake ones.
These patches again emphasize the need for proactive browser protection and the risk of surfing the Web unprotected, according to Dave Marcus, research and communication manager at McAfee Avert Labs. “The critical Windows URI handling vulnerability is already being exploited,” he said. “A Windows XP or Windows Server 2003 user with Internet Explorer 7 installed can become a victim by simply clicking a malicious Web link.”
The Critical Patch
Security bulletin MS07-061 describes the critical Uniform Resource Identifier (URI) flaw, which only affects IE7. URIs are used to identify Web-based content such as text, video, image, or programs. Microsoft is releasing the fix for all versions of Windows. That’s because the bug exists in Windows but, so far, can only be exploited in IE7.
Amol Sarwate, manager of the vulnerability research lab at Qualys, noted that this client-side vulnerability was first identified last month as a zero-day vulnerability that has already been widely exploited, most notably on a collection of Web sites registered in Russia.
This vulnerability affects everyday users of common applications, Sarwate said. “Users can be compromised by clicking on a URL link that attackers have created and made available via various sources like bulletin boards or in e-mails,” he explained. “When users click through to visit the site, the attacker-supplied code executes and allows the attacker to take complete control of the system.”
Sarwate said that, given that URI translation can be…
Tags: attacker, communication manager, critical patch, critical vulnerability, critical windows, everyday users, ie7, internet explorer 7, malicious web, mcafee avert labs, microsoft patches, proactive, qualys, said users, summer releases, uniform resource identifier, uri, vulnerabilities, vulnerability research, zero day