Slow Patch Tuesday Should Not Be Dismissed Only One Critical Fix in November Batch Andy Patrizio
Microsoft's monthly patch cycle is about as slow as the company can get while still having a Patch Tuesday. It released two, count 'em, two fixes today, one rated Critical, the most severe kind of fix, and one rated as Important, considered the least severe.
The one Critical fix, MS07-061, addresses a publicly reported vulnerability involving how the Windows shell handles specifically crafted URIs (define) that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code.
Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7, but the vulnerability also exists in a Windows library file, so all versions of Windows are affected by it. This fix will require a reboot.
MS07-062, the fix rated as Important, is a vulnerability in Windows which could allow an attacker to send specially crafted responses to DNS requests.
Security experts urged administrators to install the 061 patch right away.
"This is a light Patch Tuesday with only one critical Microsoft OS vulnerability, a critical remote code execution that needs to be patched," said Don Leatham, director of solutions and strategy for Lumension Security, in a statement to InternetNews.com.
Leatham said administrators should look into other problems, as several application vulnerabilities have come to light in recent weeks. These include remote code execution holes in QuickTime, a vulnerability in Macrovision's Flexnet product and remote code execution holes in Adobe Acrobat.
Sarwate noted that Microsoft released an out-of-band advisory stating that a patch would be available shortly for the Macrovision vulnerability and that it was "very surprising" that a fix was omitted, although Macrovision has issued its own patch.
Amol Sarwate, manager of the vulnerability research lab at Qualys, also addressed the broader impact beyond Microsoft in an emailed statement.
"Given that URI translation can be done at the operating system shell or the application level, it’s notable that other vendors, including Adobe and Mozilla, released patches in the past weeks to address this issue," noted Sarwate. "Having said that, application vendors will benefit from Microsoft’s operating system ability to sanitize at the shell level."
Microsoft also issued its monthly upgrade to the Malicious Software Removal Tool, this time to recognize the Win32/Conhook line. Conhook is a Trojan downloader. The MSRT can be downloaded from Microsoft's MSRT page.
As is its tradition, Microsoft will hold a webcast to discuss the fixes on Wednesday, November 14, 2007 at 11:00 AM PDT.
