Microsoft patches nine bugs in Windows, IE, Word

But it spiked one update at the last minute for the second consecutive month

Microsoft this week released six security bulletins that patched nine vulnerabilities in Windows, Internet Explorer (IE), Microsoft Word, Outlook Express and SharePoint. But for the second time in two months, it yanked an update at the last minute.

Four of the six updates were rated critical, Microsoft's highest threat warning, while the remaining two were judged important, the next-lowest notch in the company's four-step scoring system.

MS07-057, the critical update to IE, should be patched first, said Andrew Storms, director of security operations at nCircle Network Security. "It's an update for every version of IE, and for every supported version of Windows, so its impact is across the board," he said. Of the four vulnerabilities patched by the update, three are related to address bar spoofing, the practice of disguising the URL shown by a browser to trick users into thinking they're visiting a safe or legitimate site. Two of those three were publicly disclosed in February and July, the first by Polish researcher Michal Zalewski and Danish researcher Jakob Balle of Secunia, the second by Zalewski alone.

Although Microsoft said it had no information to indicate that any of the IE vulnerabilities, the address spoofing bugs included, had been exploited, Storms wasn't so sure. "The address bar spoofs would be perfect for the quintessential phishing campaign," he said. Exploits, he continued, would mask the URL of bogus sites with fake addresses of legitimate sites, and could trick even those users who paid attention to what's in their browser's address bar when they head to important pages, such as those where they log-in to online banking accounts.

"Nobody can keep a secret like this for eight months, so one has to assume that the bug [disclosed in February] has been in use for some time," said Storms.

For the most part, however, the updates were a yawner for Tom Cross, a researcher with IBM Internet Security Systems' X-Force. "There's nothing here that is a huge, huge concern," said Cross. "They're just not that different from the things security professionals see every day. But that's good news, isn't it?"

Microsoft also patched critical vulnerabilities in Outlook Express on Windows XP and 2000, and Windows Mail on Vista; in Microsoft Word 2000 and XP on Windows and Word 2004 on the Mac; and in all supported versions of Windows except Vista. That third critical bulletin, MS07-055, details a flaw in the Windows image viewer that parses Kodak formatted photos. The vulnerability resembles other image file bugs, such as the one in Windows Metafile that caused a ruckus in late 2005 and early 2006, but more importantly, hints that attackers are still looking for such flaws. "The new vulnerability shows that there's an active research effort," said Storms, "primarily because of the vectors. You can host the image [on a malicious site] or send it [via an e-mail attachment."

Of the two patch updates pegged as important, MS07-059 fixes an elevation of privilege flaw in SharePoint Services 3.0 and Office SharePoint Server 2007, while MS07-058 plugs yet another hole in Windows' RPC (remote procedure call) component. Exploits could crash the system and force it to reboot, said Microsoft, which led it to classify the vulnerability as a denial-of-service bug.

"There have been endless RPC issues with Windows," Storms noted. The most infamous RPC bug was the one patched in August 2003 that was quickly exploited by the Blaster worm in massive attacks that caused considerable damage to computers worldwide.

But Storms thought this week's vulnerability interesting more because of how Microsoft rated its threat than for the bug itself. "This illustrates that Microsoft has changed their rating of denial-of-service so that it's no longer considered critical," he said. "But I don't agree. Uptime is just as important as information confidentiality and integrity. If a system is unusable it means it's been compromised."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?