Microsoft patches include cumulative Internet Explorer fix

By

Microsoft today pushed out six security updates to address vulnerabilities, one less than the company promised last week.

Microsoft patches include cumulative Internet Explorer fix
The update delivered four bulletins to correct seven "critical" vulnerabilities in such client-sideWindows components as Outlook Express, Internet Explorer (IE) and Microsoft Word.

"We're really trending toward client-base vulnerabilities," Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazineUS.com today, "where if you visit an evil website, you get hacked."

Experts were divided over which critical flaw organizations are most pressed to fix.

Don Leatham, director of solutions and strategy at Lumension Security, told SCMagazineUS.com that MS07-057 – a cumulative patch for three privately reported flaws and one publicly reported flaw in IE – could do the most harm to company networks. The flaws could result in remote code execution should users view a malicious website.

"Given the pervasiveness of IE throughout most organizations, that definitely needs to be the priority," he said.

Andrew Storms, director of nCircle security operations, said the IE patch includes fixes for an address bar spoofing vulnerability and a memory handling corruption bug related to a malformed ActiveX control.

Meanwhile, Schultze said organizations also should pay particular attention to MS07-060, which corrects a bug in Word. Microsoft said hackers actively are exploiting the vulnerability, which impacts Office 2000 and XP versions.

Ben Greenbaum, a senior security manager with Symantec Security Response, said the ubiquity of Outlook Express and Windows Mail makes MS07-056 the most pressing patch for organisations to extend to their end-users. The fix addresses a flaw caused by failure to handle malformed network news transfer protocol (NNTP) responses.

"The vulnerability…has the potential to be the worst of the batch because these applications [Outlook Express and Windows Mail] come packaged with nearly every release of the Windows operating system," Greenbaum said. "Both consumers and enterprises can protect themselves from a potential exploit by not clicking on suspicious links leading to a malicious webpage, keeping computer systems updated and implementing a full-featured internet security solution."

The other critical patch addresses a vulnerability in the Kodak Image Viewer.

Microsoft delivered two fixes labeled "important", the most notable of which addresses a denial-of-service bug in the remote procedure call (RPC). Attackers could exploit the vulnerability to send malicious packets that could take down an Exchange Server, Schultze said.

Microsoft had planned to release another "important" patch but decided to scrap it, presumably due to problems that arose during testing, experts said.

See original article on SC Magazine US
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Melbourne dev finds gift card PINs can be brute-forced

Melbourne dev finds gift card PINs can be brute-forced

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Western Sydney University targets file-sharing sites hosting stolen data

Western Sydney University targets file-sharing sites hosting stolen data

Log In

  |  Forgot your password?