Microsoft issues four critical patches including one for Vista

**Iphone** · 12-Apr-2007, 02:27 AM

Microsoft Tuesday released five patches -- four on them rated critical -- as part of its monthly security update cycle. One of the patches affects Windows Vista.The four patches rated as critical, Microsoft’s highest rating, involve the Windows operating system and Microsoft Content Management Server (CMS). They are: MS07-018, MS07-019, MS07-020 and MS07-021.
The fifth patch, MS07-022, is rated important and addresses a vulnerability in Windows.
Some experts say it is patch MS07-021 that is the most significant because it is the only one that affects 32- and 64-bit Vista, Microsoft’s newest operating system.
“We think 21 is critical because it is an indication that older vulnerable OS code is being reused in Vista,” says Amol Sarwate, manager of vulnerability research for security vendor Qualys. “It definitely opens doors for attackers to try attacks that were used on older [Windows] code.”
Sarwate says MS07-021 also raises concern because it contains a Web-based attack scenario that could download malicious code and take over the PC of a user who opens a malicious Web site with their browser. Sarwate also says MS07-021 is a zero-day attack that was first reported in December last year.
He says that Qualys has not detected any exploit code in the wild such as seen with the .ani vulnerability for which Microsoft issued an emergency patch last week.
Also of concern, Sarwate says, are patches MS07-018 for CMS and MS07-019 for Windows, which are server-based attacks that do not require any actions by an end-user. When servers loaded with CMS or Windows are running certain services an attacker can send an HTTP Get request with a malformed URL and take over the machine, according to Sarwate.
MS07-021 also affects Windows 2000 Service Pack 4; XP Service Pack 2; XP Professional x64 Edition and x64 Edition SP2, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2; Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems, and Windows Server 2003 with SP2 for Itanium-based Systems; and Windows Server 2003 x64 Edition and x64 Edition SP2.In addition to the patches, Microsoft released the monthly installment of its malicious software removal tool. This month’s update removes Win32/Funner and can be downloaded here.

12-Apr-2007, 02:27 AM	#1 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Microsoft issues four critical patches including one for Vista Microsoft Tuesday released five patches -- four on them rated critical -- as part of its monthly security update cycle. One of the patches affects Windows Vista.The four patches rated as critical, Microsoft’s highest rating, involve the Windows operating system and Microsoft Content Management Server (CMS). They are: MS07-018, MS07-019, MS07-020 and MS07-021. The fifth patch, MS07-022, is rated important and addresses a vulnerability in Windows. Some experts say it is patch MS07-021 that is the most significant because it is the only one that affects 32- and 64-bit Vista, Microsoft’s newest operating system. “We think 21 is critical because it is an indication that older vulnerable OS code is being reused in Vista,” says Amol Sarwate, manager of vulnerability research for security vendor Qualys. “It definitely opens doors for attackers to try attacks that were used on older [Windows] code.” Sarwate says MS07-021 also raises concern because it contains a Web-based attack scenario that could download malicious code and take over the PC of a user who opens a malicious Web site with their browser. Sarwate also says MS07-021 is a zero-day attack that was first reported in December last year. He says that Qualys has not detected any exploit code in the wild such as seen with the .ani vulnerability for which Microsoft issued an emergency patch last week. Also of concern, Sarwate says, are patches MS07-018 for CMS and MS07-019 for Windows, which are server-based attacks that do not require any actions by an end-user. When servers loaded with CMS or Windows are running certain services an attacker can send an HTTP Get request with a malformed URL and take over the machine, according to Sarwate. MS07-021 also affects Windows 2000 Service Pack 4; XP Service Pack 2; XP Professional x64 Edition and x64 Edition SP2, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2; Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems, and Windows Server 2003 with SP2 for Itanium-based Systems; and Windows Server 2003 x64 Edition and x64 Edition SP2.In addition to the patches, Microsoft released the monthly installment of its malicious software removal tool. This month’s update removes Win32/Funner and can be downloaded here.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)