May 08, 2007, 11:38 AM PDT
Microsoft fixes 19 flaws in seven patches; all are considered critical updates
Posted by: Robert Vamosi

Microsoft has released its May 2007 security bulletin, which includes seven updates: all are listed as "Critical." Two of the patches affect Microsoft Windows, with one critical patch specific to Internet Explorer. Three of the patches affect Microsoft Office, and include Office for Mac 2004 users. To keep your Windows XP SP1 system secure, update to Windows XP SP2 today. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS07-023: Critical

Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)," this bulletin affects users of Microsoft Office 2000 through 2007, plus Office 2004 for Mac, and addresses the vulnerabilities detailed in CVE-2007-0215, CVE-2007-1203, and CVE-2007-0214. Successful exploitation could lead to remote code execution.

MS07-024: Critical

Entitled "Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)," this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007. It addresses the vulnerabilities detailed in CVE-2007-0035, CVE-2007-0870, and 2CVE-007-1202. Successful exploitation could lead to remote code execution.

MS07-025: Critical

Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)," this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007. It addresses the vulnerability detailed in CVE-2007-1747. Successful exploitation could lead to remote code execution.

MS07-026: Critical

Entitled "Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)," this bulletin affects users of Windows Exchange 2000, Exchange Server 2003, and Exchange Server 2007, and addresses the vulnerabilities detailed in CVE-2007-0220, CVE-2007-0039, CVE-2007-1213, and CVE-2007-0221. Successful exploitation could lead to remote code execution.

MS07-027: Critical

Entitled "Cumulative Security Update for Internet Explorer (931768)," this bulletin affects users of Windows 2000 through Vista and Internet Explorer versions 5.01 through 7, and addresses the vulnerabilities detailed in CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0946, and CVE-2007-2221. Successful exploitation could lead to remote code execution.

MS07-028: Critical

Entitled "Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)," this bulletin affects users of CAPICOM and BizTalk Server 2004, but does not affect BizTalk Server 2000, 2002, and 2006. It addresses the vulnerability detailed in CVE-2007-0940. Successful exploitation could lead to remote code execution.

MS07-029: Critical

Entitled "Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)," this bulletin affects users of Windows Server 2000 and 2003, but does not affect Windows 2000, Windows XP (SP2), and Windows Vista. It addresses the vulnerability detailed in CVE-2007-1748. Successful exploitation could lead to remote code execution.

Permalink | 2 comments

• Read also: security, software, Microsoft, Office, Windows, Internet Explorer
• Email to a friend | Print this post

April 04, 2007, 10:42 AM PDT
One emergency Microsoft patch fixes seven flaws, Vista included
Posted by: Robert Vamosi

Microsoft issued an emergency out of cycle patch for the animated cursor flaw Microsoft Windows. Microsoft's regular every-second-Tuesday-of-the-month patch cycle was interrupted in March 2007 when the software vendor issued no patches and will resume next week, on Tuesday April 10, 2007. The patch includes the first security bulletin that explicitly includes Windows Vista users. Microsoft security patches for Windows software are available via Microsoft Update or via the individual bulletin detailed below.

MS07-017: Critical

Entitled "Vulnerabilities in GDI Could Allow Remote Code Execution (925902)" this bulletin affects Windows 2000 SP4, Windows XP (SP2 and x64), Windows Server 2003 (SP1, 2, Itanium, x64), and Windows Vista, and addresses the vulnerabilities detailed in CVE-2006-5758; CVE-2006-5586; CVE-2007-1212: CVE-2007-0038; CVE-2007-1215; CVE-2007-1213. Successful exploitation could lead to remote code execution.

For more on the animated cursor flaw and the release of this out-of-cycle patch, see Joris Evers' story on News.com.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

March 30, 2007, 12:52 PM PDT
Windows animated cursor attack: Prevention and cure
Posted by: Robert Vamosi

There's a new Microsoft Windows vulnerability caused by an unspecified error in the way Windows 2000, XP, and Vista handle animated cursors. Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type, so simply blocking ANI files won't necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:

wsfgfdgrtyhgfd.net

85.255.113.4

uniq-soft.com

fdghewrtewrtyrew.biz

newasp.com.cn

To become infected, visitors must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Therefore, until a patch is released, users might want to browse the Internet using a non-Internet Explorer browser.

Additional resources

Microsoft: Advisory 935423

NIST: CVE-2007-1765

Arbor Networks: Any ANI file could infect you

Permalink | 11 comments

• Read also: security, software
• Email to a friend | Print this post

March 26, 2007, 10:49 AM PDT
McAfee to screen mobile content for malicious code
Posted by: Robert Vamosi

Today at CTIA in Orlando, Florida, security vendor McAfee announced a new filtering service for mobile service providers to screen unwanted content originating from subscriber cell phones. McAfee says its research shows mobile subscribers are increasingly using their cell phones for social networking and building online communities, either on-deck (within the provider's environment) or off-portal (on sites beyond the provider's environment, such as MySpace). With that trend comes the potential for subscribers to upload malware that might spread to others, potentially reducing the overall confidence in mobile as a content delivery option.

The service, called McAfee OK, works at the provider level and inspects all mobile content such as ring tones, images, video, and even applications that may be uploaded by subscribers onto the network. McAfee OK consists of software and services that can be integrated into existing mobile content delivery infrastructures and is supported by a dedicated mobile research team at McAfee.

Permalink | Post a comment

• Read also: security, software, CTIA
• Email to a friend | Print this post

March 26, 2007, 10:35 AM PDT
Symantec announces new mobile security suites
Posted by: Robert Vamosi

Symantec beefed up its existing enterprise mobile security suite in response to dualmode (cell and wireless Internet) smart phones that have hit the market. The new suite, designed for corporations to roll out to its employees using Windows Mobile technology, includes an antivirus application; a personal firewall; an anti-SMS spam application; data encryption for both the device itself and memory cards; feature control to disable Bluetooth, wireless, and syncing when not necessary; and an optional virtual private network (VPN), version 2.6, with network access control that can be set to allow only policy-compliant devices.

In May, Symantec plans to release a consumer version, Symantec Mobile Security. The suite will include antivirus protection, a personal firewall, anti-SMS spam protection, a password manager, and data-encryption technology.

Permalink | Post a comment

• Read also: security, software, cell phone, CTIA
• Email to a friend | Print this post

March 23, 2007, 12:52 PM PDT
Is Windows Vista the most secure operating system?
Posted by: Robert Vamosi

Jeff Jones, Security Strategy director in Microsoft's Trustworthy computing group, has posted a PDF report showing that in its first 90 days, Windows Vista had fewer vulnerabilities than competing operating systems. He produces a chart illustrating that Windows XP in its 90 days required Microsoft to patch a total of 14 vulnerabilities, 8 rated critical; RedHat needed to patch a total of 181 vulnerabilities, 58 rated "high severity" by the U.S. National Vulnerability Database; within Enterprise Linux 4 Workstation's first 90 days, Ubuntu had to fix 24 vulnerabilities disclosed before the public release of Ubuntu 6.06 LTS, with 7 of 9 critical vulnerabilities patched within the first week; and Jones says that Apple had to fix 10 vulnerabilities already publicly disclosed prior to the release of Mac OS 10.4 and another 4 during the first 90 days after the April 29, 2005 release. All the above data comes from Jones and Microsoft.

Jones notes that within Windows Vista's first 90 days, Microsoft issued only one security bulletin, MS07-010, which covered the Microsoft Malware Engine, and includes other versions of Windows as well as Windows Live Onecare. (So, what, it's not really a vulnerability within Windows Vista?) However, Microsoft did not issue its March 2007 security bulletin, leading some critics to allege that Microsoft fixed the results. The April 2007 security bulletin, should it be full of Windows Vista vulnerabilities, would certainly support that theory.

Another way to look at the relative security of an operating system is to consult an independent source. We frequently cite vulnerability statistics from security vendor Secunia. They say that, to date, Windows Vista has 67 percent unpatched vulnerabilities (2 of 3 Secunia advisories).

How does that compare to the competition?

• Windows XP Professional scores 18 percent in unpatched vulnerabilities (33 of 179 Secunia advisories) over the lifetime of the product.
  

• Windows XP Home also scores 18 percent in unpatched vulnerabilities (30 of 163 Secunia advisories) over the lifetime of the product.
  

• Sun Solaris 10 scores 11 percent in unpatched vulnerabilities (11 of 99 Secunia advisories) over the lifetime of the product.
  

• Apple Mac OS X (all flavors) scores 7 percent in unpatched vulnerabilities (7 of 100 Secunia advisories) over the lifetime of the product.
  

• RedHat Linux 9 scores 1 percent in unpatched vulnerabilities (1 of 99 Secunia advisories) over the lifetime of the product.
  

• Ubuntu (Linux) scores a remarkable zero percent in unpatched vulnerabilities (0 of 61 Secunia advisories) over the lifetime of the product.
  

Looking at these numbers, one might conclude that Microsoft has a bit more work to do to prove that Windows Vista is more secure than the competition.

Permalink | 1 comment

• Read also: software, security
• Email to a friend | Print this post

March 20, 2007, 9:44 PM PDT
Firefox 2.0.0.3 and 1.5.0.11 released
Posted by: Robert Vamosi

Mozilla today released security updates for Firefox 2 and Firefox 1.5. Security updates for Firefox 1.5 will be available only until April 24, 2007, when Mozilla will stop supporting the earlier version. Mozilla is encouraging current 1.5 users to upgrade to 2.0 soon. Current users of Firefox 2.0 and 1.5 will receive an automatic update notification and will need to reload the browser for the changes to take effect. This update patches a flaw in the FTP protocol used by Firefox. It has been reported that a specially coded FTP server could use this vulnerability to perform a rudimentary port-scan of machines inside the firewall. Mozilla says the vulnerability by itself poses no danger, but information about an internal network may be revealed and become useful to an attacker should there be other vulnerabilities present on the network. This update was first tested in beta release by Mozilla a few days ago.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

March 16, 2007, 2:18 PM PDT
Mozilla to beta test its Firefox version 2.0.0.3 security updates
Posted by: Robert Vamosi

According to Mozilla, everyone who participated in the beta process for Firefox 2 will be offered a prerelease version of the next security and stability update within the next 24 hours. Beta builds and release candidates for browsers often receive wide testing and feedback as part of Mozilla's development community program, so why not pretest its security updates as well. The final release of Firefox 2.0.0.3 is expected to take place shortly after Mozilla completes its testing through this new program.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

March 13, 2007, 2:40 PM PDT
Trend Micro purchases HijackThis
Posted by: Robert Vamosi

Trend Micro is now hosting its latest acquisition, HijackThis, on its TrendSecure Web site. Well-regarded as a tool for identifying malware on a computer, HijackThis often is used by technical support individuals to diagnose what's happening on a client's machine. HijackThis is not an antispyware tool, but lists the places within Windows where hijackers and other malware typically hide themselves. With the acquisition, Trend Micro announced some new features in the HijackThis 2.0 beta: the product now works with Windows Vista and Internet Explorer 7. Trend Micro maintained the look and feel of the original product, adding only an "Analyze This" function which links to the Trend Micro site for more information on suspicious items found within the log file. HijackThis remains free for all users (Trend Micro subscribers or not), and Trend Micro said it has no plans to change any of the active HijackThis forums that currently support the product.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

March 13, 2007, 9:50 AM PDT
Seven Microsoft patches we want today (but won't get)
Posted by: Robert Vamosi

This month Microsoft did not release any patches within its March 2007 security bulletin, though it did update its Malicious Software Removal Tool. In the space where we'd ordinarily call your attention to important patches from Microsoft, we thought we'd highlight a few important open vulnerabilities. Four are of high-level concern, two of medium concern, and one of low concern. Four flaws affect Internet Explorer, one affects Windows, and two affect Office. The oldest flaw here dates back to July of 2006. In case you missed any previous Microsoft security patches for Windows and Office software, all are available via Microsoft Update.

CVE-2007-1091: High concern

Titled "Internet Explorer onUnload flaw (1091)," this flaw affects users of Internet Explorer, version 7 and earlier, and dates from February 27, 2007. Successful exploitation could lead to a denial of service (crash) and can allow remote access.

CVE-2006-6696: High concern

Titled "Windows flaw in WINSRV.DLL (6696)," this flaw affects users of Microsoft Windows 2000, XP, 2003, and Vista, and dates from December 22, 2006. Successful exploitation could lead to elevation of privilege.

CVE-2007-0870: High concern

Titled "Microsoft Word 2000 flaw (0870)," this flaw affects users of Microsoft Word 2000 and dates from February 12, 2007. Successful exploitation could lead to remote code execution.

CVE-2007-0913: High concern

Titled "Unspecified PowerPoint flaw (0913)," this flaw affects users of Microsoft PowerPoint and dates from February 13, 2007. Successful exploitation could lead to elevation of privilege.

CVE-2006-4219: Medium concern

Titled "Terminal Services COM object flaw in Internet Explorer 6 (4219)," this flaw affects users of Internet Explorer 6 and dates from August 18, 2006. Successful exploitation could lead to a denial of service (crash) and can allow remote access.

CVE-2006-3360: Medium concern

Titled "COM object flaw in Internet Explorer 6 (3360)," this flaw affects users of Internet Explorer 6 and dates from August 18, 2006. Successful exploitation causes a denial of service (crash) or possibly the execution of malicious code.

CVE-2006-2658: Low concern

Titled "Internet Explorer 'FolderItem' Object Access Remote Denial of Service Vulnerability (2658)," this flaw affects users of Internet Explorer 6 and dates from July 18, 2006. Successful exploitation causes a denial of service (crash) or possibly the execution of malicious code.

Permalink | 14 comments

• Read also: security, software
• Email to a friend | Print this post