By Erika Morphy TechNewsWorld
08/15/07 12:22 PM PT
Microsoft's latest security fixes focus on problems identified in several popular desktop applications, including Excel, the widely used spreadsheet tool in Microsoft Office. Most of the flaws are subject to remote exploitation when users view a specially crafted Web page.
Crystal Reports - Discover the Latest Innovations. Download a free trial, view real-time 'behind the scenes' functionality, and learn about new Crystal Reports Server trade in options! Learn more.
Microsoft (Nasdaq: MSFT) has fixed six critical and three important desktop application vulnerabilities in this month's Patch Tuesday release.
Patches for flaws that directly affect desktop application users have been showing up more frequently in Patch Tuesday releases over the last eight to ten months, noted Amol Sarwate, manager of the vulnerability research lab at Qualys.
"Three or four years ago, the vulnerabilities were mainly found in file or e-mail servers, for instance," he told TechNewsWorld. This shift in security focus -- or the increase in this type of vulnerability -- is very apparent in this release, he added, a reflection perhaps of the growing number of attacks targeting Web-based and next-generation media applications.
The August patch, which addresses 14 vulnerabilities in all, is also notable for its size, Sarwate continued. For the year to date, this month's release is the largest since February.
From Critical to Important
Most of the flaws are subject to remote exploitation when users view a specially crafted Web page. Indeed, the practice of setting up such Web pages or embedding malicious code in legitimate ones has surged over the past month or so.
The most critical vulnerability in the latest patch is in Microsoft XML (extensible markup language) core services. There are also flaws in Excel, OLE (object linking and embedding) automation, Internet Explorer, the graphics rendering engine and VML (vector markup language) implementation -- all of which can be hacked through remote code execution.
Flaws in Windows Media Player and Windows gadgets can also be hacked remotely. Finally, a vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or on another guest operating system.
"It is a pretty broad range of products that are affected in this release," Sarwate commented. In his view, the most important patch is MS07-046: It fixes the Microsoft graphics rendering engine in the core Windows operating system. If left unpatched, users who view malformed image files will open up their systems to remote code execution.
IE and Excel
The patches that relate to Internet Explorer and Excel -- part of the Microsoft Office suite -- are also important, Sarwate said, as they are such widely used applications.
"A typical exploit scenario would be for MS Office and Explorer users to receive and open a malformed Excel spreadsheet as an e-mail attachment, or visit a Web site that hosts malformed Excel spreadsheets -- at which point the machine can be compromised and overtaken by attackers," he says in an advisory on the patch.
Postini CEO Quentin Gallivan, Part 2: Strategies and Services August 15, 2007
We are tremendously excited by the additional resources that Google can bring to bear on what Postini does," said Postini CEO Quentin Gallivan. "Both companies share a common vision, which is to enable our customers to leverage multiple communication channels for business productivity."
Related Stories
On Tap for Patch Tuesday: Three Critical Updates July 09, 2007
Microsoft will issue six security updates on Tuesday for vulnerabilities in Office, Windows and the .Net framework for running and building and applications. Three are labeled "critical," two are called "important" and one is what the company called "moderate" in importance. Users should make sure they are set to receive the updates as soon as possible, suggested Shane Coursen of Kaspersky Lab.
Microsoft Fends Off Zombies, Worms and Bugs With Patch Tuesday May 09, 2007
There were seven advisories labeled "critical" included in Microsoft's latest Patch Tuesday. This month's offerings make it clear that, despite Microsoft's best effort to create software that's bulletproof out of the box, doing so is a very difficult task. As usual, the repairs will be made available through Windows Automatic Updates.
Patch Tuesday Brings Fixes for Critical Windows Flaws April 11, 2007
Microsoft on Tuesday released three fixes to "critical" security-related flaws in the Windows OS and a security update in Microsoft's Content Management Server. "These hacks are becoming more common but it really is a matter of users taking responsibility for keeping their systems updated," Laura DiDio, an analyst with the Yankee Group, told TechNewsWorld.
Related News Alerts
More by Erika Morphy
Windows 7 Flies Off the Shelves November 06, 2009
Early sales figures on Windows 7 boxed software suggest a high level of consumer enthusiasm for the OS. Unit sales were a whopping 234 percent higher than Vista's out of the gate. The revenue haul was not as impressive, as Microsoft offered sharp discounts to spur presales. Also, sales of PCs with Windows 7 preinstalled have been lackluster -- but October is historically a weak month for PC sales.
Southwest Doesn't Fool Around November 06, 2009
Either Southwest Airlines had better deals for my favorite route than its competitors or its superior Web site tools made it easier for me to ferret them out. Either way, kudos to Southwest. In the not-so-hot department were the airline's long list of what passengers weren't allowed to do and its very short list of what Southwest was obliged to do for them. Left me feeling a little chilly.
Commerce Search Puts Google Inside Retailers' Catalogs November 05, 2009
Google has launched a new cloud-based search tool targeting enterprise-level e-commerce operations, just in time for the 2009 holiday selling season. Commerce Search provides a set of features designed to improve the relevance of results for consumers searching a retailer's own product catalog, while boosting cross-selling opportunities.
Headline Feeds
servers, for instance," he told TechNewsWorld. This shift in security focus -- or the increase in this type of vulnerability -- is very apparent in this release, he added, a reflection perhaps of the growing number of attacks targeting Web-based and next-generation media applications.
Talkback: 
