Microsoft delivers two patches for three vulnerabilities; Plugs Vista hole

Summary:Microsoft on Tuesday delivered one "critical" addressing two vulnerabilities in XP and Vista and one "important" vulnerability in Windows 2000, XP and Windows Server 2003.The critical patch resolves two vulnerabilities (CVE-2007-0069 and CVE-2007-0066) reported by IBM ISS X-Force.

Microsoft on Tuesday delivered one "critical" addressing two vulnerabilities in XP and Vista and one "important" vulnerability in Windows 2000, XP and Windows Server 2003.

The critical patch resolves two vulnerabilities (CVE-2007-0069 and CVE-2007-0066) reported by IBM ISS X-Force. The vulnerability, which involved TCP/IP processing, was critical in XP and Vista, important for Windows Server 2003 and moderate for Windows 2000.

Microsoft says the first vulnerability allowed an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The flaw in XP and Vista could lead to a remote code execution worm. As for the technical details of the vulnerability Microsoft said the following:

A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network.

The second patch takes care of a vulnerability (CVE-2007-5352) that allows an attacker to run "arbitrary code with elevated privileges." The update is deemed important for Windows 2000, XP and Server 2003. As for the technical details, Microsoft said:

An elevation of privilege vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of local procedure call (LPC) requests.

Separately, Microsoft issued a security advisory for Windows Sidebar. Microsoft is updating Windows Sidebar to block vulnerable gadgets from running.

Topics: Operating Systems, Microsoft, Security, Software, Windows

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.