Microsoft’s monthly security update contains only two advisories — not a bad number for the vendor, which in the past has rolled out fixes for a dozen or more flaws at one time.
Still, the relative scarcity of vulnerabilities this month should not discount how significant these potential exploits can be to end users and system administrators, say security analysts at Qualys and Sophos.
Two Patches, Both Critical?
Microsoft categorized one of the patches, MS07-062 — a domain name system advisory — as “important,” but security research firm Qualys urges DNS administrators to treat it as critical.
The exploit affects DNS servers, allowing hackers to spoof them or listen in on their communications with one another. Users operating from unpatched servers could potentially be routed to hacker Web sites.
The patch Microsoft labeled “critical” in this month’s release, MS07-061, is drawing much attention in the Internet security community. A client-side vulnerability that was first identified last month as a zero day exploit, it affects URIs (uniform resource identifiers) that are used to identify Web-based content such as text, videos, images or programs.
Made public last month, this hole has already been widely exploited — most notably on a collection of Web sites registered in Russia, according to Amol Sarwate, manager of the vulnerability research lab at Qualys.
It affects the desktop and such common applications as Firefox and Internet Explorer, because URI translation can be done at both the operating system shell or the application level, he said. A number of vendors, including Adobe and Mozilla, have released patches in the past couple of weeks to address this issue.
One saving grace is that the vulnerability requires user interaction to go into play, Jonathan Bitle, manager of the technical accounts team at Qualys, told TechNewsWorld.
For instance, a user would have to click on a Web address link that a hacker made available on a bulletin board or in an e-mail to trigger the malicious code execution that would allow the attacker to take complete control of the system.
The exploit is part of a larger trend toward client-side vulnerabilities targeting end users. This approach by hackers, “not only requires patching,” Bitle said, “but a focus on user education, so end users don’t do anything to jeopardize the security of an organization.”
Indeed, this is a key time for hackers, Sophos security analyst Graham Cluley told TechNewsWorld.
“There are more people shopping online at this time of year than any other. Also, work slows down and employees tend to have more time to surf, visiting Web sites that maybe they shouldn’t, or opening attachments because they think they are holiday messages,” he said.
MS07-061, in particular, targets that particular tendency, Cluley noted. “Hackers are [always] on the lookout for vulnerabilities in popular software that will allow them to store code in computers — but never more so than this time of year.”
The Missing Patch
One positive thing about this Patch Tuesday, Cluley observed, was the absence of any vulnerabilities in Vista. Those can be particularly dangerous because of how easily they are exploited, he said, and the number of people that are potentially exposed.
However, one patch security experts were hoping to see was missing from this month’s release: the much-anticipated fix for the Macrovision driver.
“Given that Microsoft released an out-of-band advisory stating that a patch would be available shortly for this vulnerability, it was very surprising that it was omitted,” Sarwate said. “Macrovision has already made its own patch for the driver available.”