'Critical' Vista, IE 7 patches highlight MS security updates

'Critical' Vista, IE 7 patches highlight MS security updates

Summary: This month's batch of patches from Microsoft includes six bulletins covering at least 15 vulnerabilities, including several critical code execution holes in Windows Vista and Internet Explorer 7.

SHARE:

This month's batch of patches from Microsoft includes six bulletins covering at least 15 vulnerabilities, including several critical code execution holes in Windows Vista and Internet Explorer 7.

In all, Redmond pushed out four critical bulletins with fixes for flaws that could put Windows users at risk of complete PC takeover attacks.

http://content.zdnet.com/2346-12691_22-87874.htmlThe most serious is a cumulative Internet Explorer update (MS07-033) that affects all versions of the dominant browser -- IE 5.01 on Windows 2000 through IE 7 on Windows Vista.

The mega IE update addresses a total of six flaws, including one that was publicly discussed prior to Patch Tuesday. Interestingly, all six IE bugs are rated "critical" across the board, except for some versions of Windows Server 2003.

(NOTE: Click on image at right for step-by-step instructions on some key configuration changes you can make to run/use IE securely)

Another high-priority update to pay special attention to is MS07-035, which touches a "critical" vulnerability in the way that the Win32 API validates parameters. This bug does not affect Windows Vista.

Microsoft provides a dire warning:

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Vista is also immune to MS07-031, a "critical" bulletin that covers a flaw in the Secure Channel (Schannel) security package in Windows. "This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using an Internet Web browser or used an application that makes use of SSL/TLS," according to the bulletin. Affected software includes Windows 2000, Windows XP and Windows Server 2003.

However, the built-in Windows Mail client in Vista didn't escape unscathed. The MS07-034 update contains fixes for four vulnerabilities (two publicly discussed before today) that could lead to code execution attacks. This update also affects Outlook Express.

The gaping hole that dings Windows Vista comes with this warning:

A remote code execution vulnerability results from the way local or UNC navigation requests are handled in Windows Mail. An attacker could exploit the vulnerability by constructing a specially crafted e-mail message that could potentially allow execution of code from a local file or UNC path if a user clicked on a link in the e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Vista users will also see an automatic update for MS07-032, a "moderate" bulletin that fixes an information disclosure issue. The bug "could allow non-privileged users to access local user information data stores including administrative passwords contained within the registry and local file system," Microsoft warned.

The last bulletin this month (MS07-030) fixes two "important" bugs in Microsoft Visio 2002 and Microsoft Office Visio 2003.

Topics: Windows, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

125 comments
Log in or register to join the discussion
  • More critical security updates for Vista & Internet Explorer .

    I thought that Vista & Internet Explorer were the most secure on the planet . NOT ! now watch all the Shills and fanboys jump on this one . Calling mister zealot and ye , here is your chance to defend the HIVE !
    Intellihence
    • Also as a side note ,,,

      coding for Windows must suck . If you haven't noticed yet , but just about every product that comes out is having problems with Vista . Why ? Is Vista so locked in . Why do they have so many locks on Vista ? I'm still betting that windows Vista is sitting on top of the Linux Kernel .
      Intellihence
      • I always wonder why most ie vulns end with

        "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
        Suicida|
        • Because it is the truth <NT>

          <NT>
          Intellihence
          • "Beyond the Vista

            a leopard just wet himself"
            John Zern
      • RE:Also as a side note ,,,

        Wrong as usual. It's not Vista, or MS's fault if some device manufacturers aren't on the ball with writing drivers. Vista has no problem with any of my devices. Nice try
        bmore_bro69
        • Message has been deleted.

          Intellihence
          • How is that different than apple?

            Can I pick up any old piece of hardware and run it on OSX? Of course not. Apple doesn't come close to supporting the variety of hardware that Vista supports, much less XP.

            And I'm not a zealot, but I do find the criticism about driver support disingenuous at best.
            notsofast
          • differenet in that MS suppoorts far more hardware

            It is disingenuous, of course. After the beating safari has taken in the last couple of days, it's not at all surprising that the zealots are out in full force.

            Beyond the vista, a leopard is choking on it's photocopier
            rtk
          • And Mac's who comment on every MS post...

            ...like you. Dude do you read what you right. Look in the mirror your no better. Man how old are you 10?!?!?
            fr0thy2.
      • Actually that must fall to Apple as well...

        Read the posts about Safari....it's tough to eat crow especially for a little boy.
        fr0thy2.
      • To All: spot "boy" Leopard is scared of Vista

        Other wise he would not be so interested in the failures and successes. Only a child would act this way... His posts highligh his immaturity and lack of knowledge. It's actually become a game of ours to see which posts he responds to. We have a pool, and we pick the posts and bet. Just like betting on other low intelligence animals...it's fun. Everyone should try it.
        fr0thy2.
      • re: Also as a side note ,,,

        Keep on spreading the FUD, Leopard-panties. The only programs I've had problems running on Vista are older, oddly-coded, and un-updated (no longer directly supported) applications.
        M.R. Kennedy
      • lordie...

        it's sitting on the NT kernel, and is the first system to be completely so. Vista isn't really locked in at all... you have full freedom. You don't even have to type in the administrator password like you would on a mac to install something. You click Allow. when the message comes up, remote access is disallowed, which means you can't have remote scripts running to take your pc. big deal. the
        at command is now limited, and was the major was to hack unprotected XP. The products are having trouble with vista because Vista is NOTHING like Xp. It's completely different code. It looks and acts the same due to AMAZING coding. Vista not only runs Vista, but emulates XP, ME, Win2k, and win98. it can PRETEND to be DOS based. And, when they finally release the update to allow the new shell, everything I've read points to it being as good or better than BASH. So, now that Microsoft is finally stealing from Linux and not Apple, we will really see results that don't suck.

        PS: NT kernel is nothing like the linux kernel. If you want to really understand the linux kernel, try LFS (Linux from scratch) so you actually KNOW what the linux kernel does, and from now on, crap out of somewhere other than your mouth.
        evilkillerwhale
    • Don't you ever get tired of hearing your gums flapping together??

      <nt>
      Hallowed are the Ori
      • I'm sorry to say but

        I have teeth . It's more like don't I ever get tired of hearing my teeth gnashing . The answer is NO , especially when it comes to microsloth windblows . Now get back to your patching sucker , oh , and let's hope that the patch doesn't break your machines . Even better let's hope that these patches fix the problems and that next month you won't need more patches to fix these patches .
        Intellihence
        • back to patching?

          The machines do it themselves, with nothing for me to do but read a report.
          Doesn't Apple handle the dozens of security patches (this year alone) the same way?

          And no, you have no teeth. Just petty anger that a large portion of the world runs (very successfully) on MS products.
          mdemuth
          • Oh I have teeth literally ,

            which is more than what I can say for the old folks hanging around here after so many years .
            Intellihence
          • wealthy - go play with your mp3s, and shoot a video with the other slackers

            <nt>
            fr0thy2.
          • Petty but wealthy

            [i]Just petty anger that a large portion of the world runs (very successfully) on MS products.[/i]

            And a growing portion of the world runs just as successfully and has more money in their pocket without MS products.

            lol. Amazing what you can do with all that license money.
            Chad_z