The second zero-day plugged Tuesday was handled by MS07-067, which provides an update to the Macrovision driver that has been involved in attacks for more than a month. Although Macrovision issued a replacement driver for Windows XP and Server 2003 weeks ago, Microsoft missed including a fix for the driver in November's patch because it needed more time to prepare and test the update.
Also among Tuesday's patch batch were two bulletins -- MS07-063 and MS07-066 -- that affect only Windows Vista. Both updates were tagged as important rather than critical, even though Microsoft acknowledged that they could result in remote code execution.
"[These] are pretty nasty bugs, but there are enough mitigating factors to knock them off the top tier," said Storms. Both he and Sarwate noted that attackers have to have valid log-on credentials and must log on locally in order to exploit the bug patched by MS07-066, while the other Vista-only vulnerability's impact is limited because the affected part of the Server Message Block Version 2, or SMBv2, protocol isn't turned on by default.
But even with a glut of patches -- the most Microsoft has issued since August -- there was at least one fix missing, said Sarwate. "WPAD has not yet been addressed," he said, talking about a flaw in Web Proxy Auto-Discovery servers that Microsoft confirmed eight days ago.
The seven updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).