IE gets security makeover in Patch Tuesday batch

IE gets security makeover in Patch Tuesday batch

Summary: Microsoft's final batch of patches for 2007 has been released to cover at least 11 security vulnerabilities that put millions of users at risk of remote code execution attacks.

SHARE:

IE gets security makeover in Patch Tuesday batchMicrosoft's final batch of patches for 2007 has been released to cover at least 11 security vulnerabilities that put millions of users at risk of remote code execution attacks.

The December updates includes a "critical" bulletin with patches for at least four flaws affecting Internet Explorer and a two separate high-severity bulletins for code execution bugs in Windows Media File Format and Microsoft DirectX.

The most serious bug addresses in the IE update (MS07-069) could allow drive-by exploits if a user viewed a specially crafted Web page using an unpatched browser.  It carries code execution risks for most versions of Windows, including the newer IE 7 on Windows Vista.

[ GALLERY: How to use Internet Explorer securely ]

Microsoft also called special attention to MS07-068, which covers a remote code execution vulnerability in the way Windows Media Format Runtime handles Advanced Systems Format (ASF) files. This issue affects all versions of Windows, Including Vista.

Microsoft spells out the potential attack vectors:

In client applications, such as Windows Media Player, an attacker could exploit the vulnerability by constructing specially crafted Windows Media Format Runtime content that could potentially allow remote code execution if a user visits a specially crafted Web site or opens an e-mail message with specially crafted content. In server applications, such as Windows Media Services, an attacker could exploit the vulnerability by constructing specially crafted Windows Media Format Runtime content that could potentially allow remote code execution if the server processes the specially crafted content. In client and server applications, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

A third critical bulletin (MS07-064) address two different vulnerabilities in Microsoft DirectX, the set of APIs that handles multimedia (game and video) programming.  The two bugs could allow code execution if a user visits a specially crafted Web site or opens an e-mail message with specially crafted content, Microsoft warned.IE gets security makeover and Patch Tuesday batch

One of the seven bulletins (MS07-066) is unique to Windows Vista.  It provides an "important" fix for a privilege escalation flaw in the way the Windows kernel processes certain access requests.  Microsoft acknowledged that an attacker who successfully exploited this vulnerability could take complete control of an affected Vista system.

Microsoft also provides a belated fix (MS07-067) for the well known --  and under attack -- vulnerability affecting the Macrovision secdrv.sys driver that's installed by default on  Windows XP and Windows Server 2003.  This issue first surfaced in mid-October and confirmed by Microsoft in early November but, inexplicably, it took two patch-release cycles for Microsoft to include the fix for Windows users.

Code execution holes are also patched in Server Message Block Version 2 (MS07-063) and  Message Queuing Service (MS07-065).  These bulletins are rated "important."

Topics: Mobility, Browser, Hardware, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Vista proves its value once again.

    I repeat: If you needed a reason to upgrade to Vista its improved security should be enough by itself.
    ye
    • question

      can we afford to upgrade our hardware?

      :o)
      Jack-Booted EULA
      • Why are you asking me? I know nothing of your finacial...

        ...situation. Nor do I know what your current computing environment is like.
        ye
    • Missing Something

      While I agree that Vista is much more secure than XP, I can't bring myself to recommend it to anyone, it is XP or Linux for non security reasons, but I digress. One of the vulnerabilities is "unique" to Vista.

      [B]It carries code execution risks for most versions of Windows, including the newer IE 7 on Windows Vista.[/B]

      [B]This issue affects all versions of Windows, Including Vista.[/B]

      [B]One of the seven bulletins (MS07-066) is unique to Windows Vista. It provides an ?important? fix for a privilege escalation flaw in the way the Windows kernel processes certain access requests. [/B]

      Seriously, I have said this before, and I hope SP1 fixes it, but Vista is not viable for many to upgrade to in it's current form (despite wanting to move people to a more secure platform) with increased requirements and vastly more restrictions A move in the right direction, removing the kill switch, but still wait and see.

      TripleII
      TripleII-21189418044173169409978279405827
      • I missed nothing. According to the rules...

        ...MS07-066, while unique to Vista (does this really matter), is not remotely exploitable and the user needs to have a valid account. Therefore it doesn't count.

        As for MS07-069 (the one you're referencing in your first highlighted sentence), it does not count because it's not a "root" exploit.

        If you choose not to move to Vista for other reasons that's your choice. But that doesn't change what I said about security being a reason to move to Vista. As I've been saying for quite some time: People don't put security first. They whine, complain, gripe, moan, and groan. But when it comes to security most people choose something else over security. That's OK...it's understandable. But then they shouldn't be whining, complaining, griping, moaning, and groaning about their systems becoming infected.
        ye
    • Message has been deleted.

      Intellihence
      • all i got today was updates for office none for vista it might be

        all i got today was updates for office none for vista it might be because i use sp1 but i did not have any updates for vista.
        SO.CAL Guy
        • I Got The Vista Updates

          I bought a new Vista laptop over the weekend. Monday night I ran Windows Update and got tons of updates. Tuesday I got several additional updates, including the ones discussed, so they are out there.
          Pony99CA
  • RE: IE gets security makeover in Patch Tuesday batch

    With these updates, if one takes a good look, alot of these problems are design related rather than being poor coding; if you had poor design and try to tack on security 15 years after the first line of code has been written - your attempt to secure is doomed to failure.

    Security is something that needs to be written into the application from day one; secure by design needs to occur from day one rather than year laters making compromises for the sake of 'compatibility' with the few whinging whining customers and lazy developers who can't be bothered learning how to programme properly.
    Kaiwai
    • It is interesting that IBM's OS/2

      which Microsoft introduced as "NT" was never a security problem. But then IBM didn't place the GUI into the kernal nor integrate applications into the kernal.

      This is most likely evidence of the design philosophy mentioned by kaiwai. It is also interesting that OS/2 provided much better legacy support than Microsoft ever supplied.
      Update victim
      • Actually

        Microsoft I think a year ago admitted that a lot of the problems we see today were due to the heady 90's, when things were just thrown into Windows without consideration about the impact it could have on the security, stability or reliability.

        Sure, UNIX had security issues, but the difference is that they were code quality issues, rather than fundamental design flaws. Those were fixed, and now its the gold standard, OpenVMS avoided stupid insecure languages, and again, they did it right.
        Kaiwai
        • Windows is based on VMS.

          I thought the designer of VMS (I don't remember his name) left Digital and became the boss of NT development at Microsoft.

          I used to work with VMS in the 1980's. A lovely operating system. It seemed to be very secure then.

          So I wonder what happened!?
          I am Gorby
          • Oh come on...

            Lets not create an urban myth; yes, Dave Cutler used to work for Digital, and yes, he worked on creating VMS; but Windows is not even close to VMS. VMS was based on MACRO and BLISS - two very safe languages which provides a stable and secure basis for the operating system.

            Everything went off course when the over riding concern was win32 and win16 compatibility, when the focus was 'teh snappy' rather than getting things right; NT 4 was the start, ramming the graphics into the kernel, and everything went down from there.
            Kaiwai
          • Ummm.. Not quite.

            Ummm.. I worked on VMS for several years in college. "MACRO" is the name of the assembler - assembly language code is NEVER "very safe". BLISS (actually it was Bliss32, but who's counting - BLISS was a language written for DecSystem 10's) is a language that is even less safe than C - its primary design goals were a) to be easy to optimize and b) to enable system programming.
            LarryOsterman
          • Re Bliss and security

            Actually Bliss32 and other languages in the VMS environment did not pose any safety risk to the os (other than lazy programmer impacts). Subversion of code by many of the current hacking techniques was and still is prevented by the excellent hardware memory protection design that was levereged by the OS.

            For an application to be able to overwrite execute code with a data stream is virtually impossibel. The programmer would need to disable the default memory management which stores code in memory that is readable and can execute code with data stored in memory that was readable and writeable but not executable.

            Additionally mechanisms would need to be coded into the program to facilitate any attempt to amplify privledge.

            To this day it is still very hard to break into or alter a normal VMS system that is connected directly to the internet.
            schmidt@...
        • Insecure Languages?

          Insecure languages? Sorry, but there's no such thing. Languages, even including run-time libraries, are not inherently secure or insecure. The run-time libraries may be coded insecurely, and programs written in certain languages may be more difficult to write securely, but insecurities are almost always because the programs were designed and/or written insecurely in the first place.

          Of course, before the Internet became popular, that wasn't a huge deal (other than in banking and defense systems, perhaps). At worst, your program would crash, but almost nobody thought about trying to take control of somebody else's computer because most people who could were employed by the company that owned the computers. The people who tried back then have the same name today -- criminals.
          Pony99CA
      • You've goofed here

        There were two development paths intended for OS/2. MS was supposed to do the odd-numbered vers, while IBM would do the even-numbered vers.

        OS/2 version 1.x sucked, partly because MS was developing Windows and "borrowing" resources for that.

        IBM brought out OS/2 2.0, and MS walked out of the compact to do Windows, and rewrote their OS/2 ver 3.x into NT 3.1, aka "Son of Sucks," "Nice Try," "Not There," "No Technology," and other accurately-descriptive tags.

        IBM went ahead and continued OS/2 development with vers 3 and 4, and eventually this evolved into eComStation, but never became any version of NT. If they hadn't abandoned OS/2 . . .but, oh, well . . .

        I'd like to see the "Open Source OS/2" petition succeed. If MS were faced with a revitalized OS/2 and Linux, both open source, they would be forced to make Windows work properly (or admit that they can't).
        critic-at-arms
    • Do try and educate yourself about Windows.

      [b]"Security is something that needs to be written into the application from day one;"[/b]

      Windows NT, of which Windows XP and Vista are derived, was designed with security in mind since day one. Aside from implementation details the security model used in Windows is identical to many UNIX variants (save for the SE type distributions).
      ye
      • NT Security design

        Actually I will talke issue with the premise of security design in NT. If security design were the case, old dos based 16 bit code would never have been incorporated into the kernal, hardware memory protection would have been enabled (actually required) and I/O transfers would ahve been architected such that buffer overrun would not be possible.

        See VMS of that era for where Dave Cutler was working before he went to Microsoft to work on NT.

        Unfortunaltely the desire to be compatible saddled NT and all Microsoft OS implementations since with a fundamnental ha/sw platform deficient in real security features and underpinnings.

        One look at VMS privledge granularity from 1977 will show that the internal security managemnt architecture in windows products is not granular enough to provide a robust security system.
        schmidt@...
        • Can you support this claim? As well as...

          [b]"old dos based 16 bit code would never have been incorporated into the kernal"[/b]

          I've never heard of this. As far as I know it is/was a separate subsystem.

          [b]"hardware memory protection would have been enabled (actually required)"[/b]

          It is and has been since Windows 3.1. Or do you have proof contrary?

          [b]"I/O transfers would ahve been architected such that buffer overrun would not be possible."[/b]

          Can you elaborate?

          Looks like you're clueless. Take my advice: Learn about Windows NT before speaking.
          ye