ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Critical IE, Excel updates headline bumper Patch Tuesday

By | August 14, 2007, 11:16am PDT

Summary: The cumulative Internet Explorer update headlines a bumper batch of nine bulletins that contains fixes for 14 documented software vulnerabilities.

Microsoft has shipped a major Internet Explorer update to cover at least three code execution vulnerabilities in its flagship Web browser.

The cumulative IE update (MS07-045) headlines a bumper batch of nine bulletins that contains fixes for 14 documented software vulnerabilities.

The update affects IE 5.0 through IE 7.0 on Windows Vista but, because of defense-in-depth mitigations, the severity rating has been reduced to “important” on the newer versions.

Microsoft explains the three bugs:

  1. A remote code execution vulnerability exists in the way Internet Explorer parses certain strings in CSS. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
  2. A remote code execution vulnerability exists in the ActiveX control, tblinf32.dll. This control can also be found under the name of vstlbinf.dll. Both of these components were never intended to be supported in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the Web page.
  3. A remote code execution vulnerability exists in the ActiveX object, pdwizard.ocx. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.

In all, there are six critical bulletins in the August batch. These affect Microsoft XML Core Services (Windows 2000 through Windows Vista); Object Linking and Embedding (OLE) automation (Vista is not affected); Microsoft Excel (Office 2000, Office 2003, Office XP and Office 2004 for Mac); Graphics Rendering Engine (Windows 2000 through Windows Server 2003); and Vector Markup Language (IE 5.0 through IE 7.0 on Windows Vista).

The other three bulletins cover:

MS07-047 — Two code execution holes in the way Windows Media Player parses and decompresses skins. This is rated “important.”

MS07-049 — Patches an elevation of privilege vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating systems. This update carries an “important” rating.

MS07-048 — This applies to at least three serious flaws in Windows Gadgets. This “important” update is specific to Windows Vista and affects the Feed Headlines Gadget, the Weather Gadget and the Contacts Gadget.

* More to come as I wade through the nine bulletins.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Web, Attacker, Vulnerability, Microsoft Windows Vista, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Web Page, Bulletin, Execution Vulnerability, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

28
Comments
Add Your Opinion

Join the conversation!

Just In

Let me see
Freebird54 18th Aug 2007
Hmm - IE is shipped with the OS. Ie can not be removed from the OS and have it still run. Not the OS? In the same manner, you could reasonably count Firefox problems as a problem with (for example) Ubuntu for the same reason. The objection is to counting things that can be removed without penalty as OS flaws.

If your eyes have stopped rolling - care to recount?

Of course, flaw counts aren't much of an indicator of anything beyond showing that somebody cares, and is trying to fix potential (and sometimes actual) problems. Mostly one should read these to determine (after reading about what's affected, and waiting to see what problems (if any) the fix introduces) whether or not to allow the updates to take place. In my case, none of these need to be fixed, as I wouldn't let MS have internet access anyway... happy
View in thread
0 Votes
+ -
The last two vulnerabilities aren't even in IE
PB_z 14th Aug 2007
Just so you know, the two "ActiveX Object Memory Corruption" vulnerabilities are not actually vulnerabilities in IE. I have never heard of pdwizard.ocx or tblinf32.dll -- according to the bulletins they are part of Visual Basic 6.

Microsoft puts these killbits in with the IE security updates as defense in depth to protect IE, but the fact remains that the bugs are still present in those two files. Other products that can use ActiveX controls, such as Microsoft Word, would still be vulnerable.

Unfortunately by putting these killbits in with IE they are making their vuln count artificially high.
0 Votes
+ -
Plus the first vulnerability only affects IE 5.01
PB_z 14th Aug 2007
So it appears that unless you are running Win2K with IE 5.01, or have Visual Basic 6 on your machine, you are not affected by any of these three vulnerabilities.
0 Votes
+ -
Breaks the following forum requirements for Vista:
ye 14th Aug 2007
1. Requires user interaction.
2. No exploits in the wild.
3. Does not gain administrative rights.

If you still need a reason to upgrade to Vista here is another reminder.
0 Votes
+ -
Should have been a reply to the story.
ye 14th Aug 2007
.
0 Votes
+ -
Oh great !
Intellihence 14th Aug 2007
Now the MS fanboys don't think this is a big deal . 9 patches for Windows and Internet Explorer plus three more for Microsoft Office . The fanboys claim that this isn't an issue . I wonder how long these bugs have been in the wild now ? If anything , I'm sure we will be seeing more of these bumper patches every month now . It's not the end of the summer yet and look at all these patches arriving at my kids XP machine .
0 Votes
+ -
Translation
Beyond the Vista, A Leopard is starving 14th Aug 2007
I wish all those MS users would come thundering over to OS X, and then we'd have the demographics and the marketing clout, and we'd be the big man on the block. I hate sitting in obscurity.
0 Votes
+ -
You are funny .
Intellihence 14th Aug 2007
If anything I wish MS users to remain MS users . You translated incorrectly . Wanna try again ? Maybe this time you will get a cigar ,,,
0 Votes
+ -
Makes sense to me.
notsofast 15th Aug 2007
If everyone went to Apple, then all the apple users would complain about all the security holes in the OS.
0 Votes
+ -
Absolutely LOVE the sig line!!!
No_Ax_to_Grind 14th Aug 2007
Still laughing... Starving Leppard Buwahahahahahahaha
0 Votes
+ -
Be carefull of what you wish for
jescocom 15th Aug 2007
If that were to happen then Apple would be releasing all those patches each month.
0 Votes
+ -
And OS X had, oh yeah 50!!!!!
No_Ax_to_Grind 14th Aug 2007
Your a sad little clown.
0 Votes
+ -
Stalk this...
No_Ax_to_Grind 14th Aug 2007
http://blogs.zdnet.com/security/?p=172

"Apple has issued a mega-update with patches for 25 new security vulnerabilities affecting Mac OS X users.This is the fourth update (89th security patch) issued by Apple in 2007."

89, yes, your read it right 89!!!

My gawd, is there any of the original code even there? The name Apple and the word security should never be used in the same sentence!
0 Votes
+ -
14 documented software vulnerabilities
Ole Man 14th Aug 2007
Microsoft explains the three bugs:
Blah blah bla-bla blah blah blah blah

The other three bulletins cover:
Blah bla-bla-blah blah blah blah

Understand?

Now get ready for the next bunch!
0 Votes
+ -
And your OS of choice is bug free?
ye 14th Aug 2007
Understand? Didn't think so.
0 Votes
+ -
Try 50 in one shot!
No_Ax_to_Grind 14th Aug 2007
No kidding
0 Votes
+ -
Why is it ok...
jasonp@... 15th Aug 2007
for any OS to have so many security bugs? Some will tell you "it's inevitable, all software has bugs". There's nothing quite like setting the bar so low as to effectively have no bar to begin with to spur big business into fixing what's broke. There is literally no reason for Microsoft to take security seriously as long as they've got great constant cashflow. The software business really is worse than the airline business. Might as well farm out everything to India since we can get the same bugs for a fraction of the cost.
0 Votes
+ -
OS?
notsofast 15th Aug 2007
I just scanned the fixes, but only saw 3 that were the OS. Oh wait, that's right, when it's a MS bug fix, applications are part of the OS. When it's a Macintosh or Linux application or utility fix, the problem is in the app. :rolleyes:
0 Votes
+ -
Every time I here that there's a fix out...
jasonp@... 16th Aug 2007
for SAMBA or OO or any of the other third party applications that get distributed with Linux, it's a Linux problem. You have a problem with the same analogy, too bad.
0 Votes
+ -
You can thank Microsoft for that.
Rick_K 16th Aug 2007
Remember it was Microsoft that made the claim that ie, media player, etc. etc. were
an integral part of the OS. The claims were made (by Microsoft) that removing these
apps would damage the OS. Also of note; Wasn't it Microsoft that said they don't list
all the flaws, in an effort to keep the crackers from exploiting them? So if the
"update" is more than 14 actual patches (remember Microsoft does a lot of "silent"
fixes). There is something to be said about the flaw count.
0 Votes
+ -
Let me see
Freebird54 18th Aug 2007
Hmm - IE is shipped with the OS. Ie can not be removed from the OS and have it still run. Not the OS? In the same manner, you could reasonably count Firefox problems as a problem with (for example) Ubuntu for the same reason. The objection is to counting things that can be removed without penalty as OS flaws.

If your eyes have stopped rolling - care to recount?

Of course, flaw counts aren't much of an indicator of anything beyond showing that somebody cares, and is trying to fix potential (and sometimes actual) problems. Mostly one should read these to determine (after reading about what's affected, and waiting to see what problems (if any) the fix introduces) whether or not to allow the updates to take place. In my case, none of these need to be fixed, as I wouldn't let MS have internet access anyway... happy
0 Votes
+ -
There's "bugs" and there's "design flaws".
Resuna 15th Aug 2007
There have been serious design flaws in network protocols and applications
shipped with UNIX. The host-IP based security in the Berkeley "r-suite" of
applications was hopelessly naive.

The difference is that virtually every UNIX system has disabled or even removed
these protocols. You have to go in and edit little text files or even reinstall them to
turn them back on. You can't do it by accident, and if you know enough to do it
you know you shouldn't.

Microsoft, on the other hand, not only refuses to fix design flaws it fights the DoJ
to a standstill in order to keep the in, and modifies the OS so that users can't
reliably remove them without damaging their ability to use it!

I'll take the remaining bugs one by one rather than deal with an unfixable trojan
horse built into the GUI itself.
0 Votes
+ -
Patch day already?
Chad_z 15th Aug 2007
Seems like we just get cleaned up from the last one and a new one rolls in. Ahh, I love patch announcements in the am. Sounds like...more billing. lol.

I'm in the mon-ey, I'm in the mon-ey dah-da-da-da-da-ta...I'm in the mon-ey...
0 Votes
+ -
Yo . . . Chad . . .
brian ansorge 16th Aug 2007
LMAO. Thanks . . .

You're shameless . . . "cleaning up" in more ways than one . . .

Thanks to Redmond's ineptitude . . .

"Unless the computer is re-architected from scratch, which will not happen in the
next 100 years, we are set on a path of never-ending misery. Windows Vista
proves it."

John C. Dvorak
PC Magazine
Jan 29, 2007
0 Votes
+ -
IE Patches
tim.haugan@... 15th Aug 2007
Installed on my home PC last night using auto update. It made IE not work - can't reolve DNS entries. I uninstalled and it resolved. More Microsoft quality!
0 Votes
+ -
Patches
aaron.white@... 15th Aug 2007
What patch did you install and have to unistall?
0 Votes
+ -
internet explorer patches
jan133 15th Aug 2007
i am really concerned about downloading the patches for internet explorer - last time this happened it screwed up my access to games on pogo - i have my computer set for automatic updates except i did block it for internet explorer 7.0 as i was told on a computer newsletter not to download it
0 Votes
+ -
#2 is the same design flaw I've been bitching about for 10 years.
Resuna 15th Aug 2007
"A remote code execution vulnerability exists in the ActiveX control, tblinf32.dll.
This control can also be found under the name of vstlbinf.dll. Both of these
components were never intended to be supported in Internet Explorer."

There should not be a mechanism inside IE, at all, to allow the execution of any
code that has not specifically been registered (by an already installed program, not
automatically through a web page) for execution by "untrusted" objects.

That is, the HTML control should not be the gatekeeper for this, and it shouldn't be
executing components directly... it should be calling back to the application (IE,
Windows Update, Outlook, whatever) and letting THAT program look the control up
in *its* list of registered controls to decide whether to run it or not.

And of course letting controls install themselves (through trusted sites or
otherwise) is just crazy.

Until M$ does something about the fundamental design of IE it will never be secure
enough for regular use. *Never*
0 Votes
+ -
Log on locally?
BoisD'Arc 17th Aug 2007
Microsoft Security Bulletins contain a section called "Vulnerability Details".

Frequently, I'll read something like this in the bulletin -
"Mitigating Factors for ... Vulnerability: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

Does this mean that an attacker would have to have physical access to my computer? If it can't be exploited remotely, and there is no chance an attacker could gain physical access to my computer, can I safely ignore such updates?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix