Microsoft slaps bandaid on IE, MS Word

Summary:Microsoft's dominant Internet Explorer browser has undergone a security makeover to correct at least four vulnerabilities that could be used in code execution attacks if a user simply surfs to a maliciously rigged Web page.

Microsoft slaps bandaid on IE, MS Word
Microsoft's dominant Internet Explorer browser has undergone a security makeover to correct at least four vulnerabilities that could be used in code execution attacks if a user simply surfs to a maliciously rigged Web page.

The cumulative IE update (MS07-057), shipped as part of this month's Patch Tuesday updates, carries a "critical" rating on all versions except for IE 7 on Windows Server 2007. Internet Explorer 7 on Windows Vista is affected.

In all, Microsoft released six bulletins (one was withdrawn at the last minute) with patches for at least nine software vulnerabilities.

Two of the four vulnerabilities being patched -- browser entrapment bugs that makes it easy to launch phishing attacks -- was first discussed back in February when Michal Zalewski published proof-of-concept exploits.

Microsoft slaps bandaid on IE, MS Word

The ever-present Microsoft Word application also gets a major bandaid in this patch batch. The software giant's 60th bulletin for 2007 (MS07-060) patches a "critical" remote code execution vulnerability exists in the way the word processing program handles specially crafted Word files.

"The vulnerability could allow remote code execution if a user opens a specially crafted Word file with a malformed string," Microsoft warned.

The flaw affects users of Office 2000, Office XP and Office 2004 for Mac.

A third "critical" bulletin (MS07-055) provides cover for a remote code execution vulnerability affecting the Kodak Image Viewer, formerly known as Wang Image Viewer. This flaw is most serious on systems running Windows 2000 but Microsoft warned that Windows XP and Windows Server 2003 may also be affected if upgraded from Windows 2000.

Windows Vista users should also pay attention to MS07-056, which covers a nasty flaw in the way Outlook Express and Vista's built-in Windows Mail handles NNTP responses. This bug could be exploit if a user simply browses to a booby-trapped Web site.

The October updates also includes MS07-058, covering an "important" denial-of-service flaw in RPC authentication (Windows Vista is affected); and MS07-059, which corrects a privilege escalation bug affecting Windows SharePoint Services 3.0 and Office SharePoint Server 2007.

Topics: Browser, Collaboration, Microsoft, Operating Systems, Security, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.