Microsoft delivers two patches for three vulnerabilities; Plugs Vista hole

Microsoft delivers two patches for three vulnerabilities; Plugs Vista hole

Summary: Microsoft on Tuesday delivered one "critical" addressing two vulnerabilities in XP and Vista and one "important" vulnerability in Windows 2000, XP and Windows Server 2003.The critical patch resolves two vulnerabilities (CVE-2007-0069 and CVE-2007-0066) reported by IBM ISS X-Force.

SHARE:

Microsoft on Tuesday delivered one "critical" addressing two vulnerabilities in XP and Vista and one "important" vulnerability in Windows 2000, XP and Windows Server 2003.

The critical patch resolves two vulnerabilities (CVE-2007-0069 and CVE-2007-0066) reported by IBM ISS X-Force. The vulnerability, which involved TCP/IP processing, was critical in XP and Vista, important for Windows Server 2003 and moderate for Windows 2000.

Microsoft says the first vulnerability allowed an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The flaw in XP and Vista could lead to a remote code execution worm. As for the technical details of the vulnerability Microsoft said the following:

A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network.

The second patch takes care of a vulnerability (CVE-2007-5352) that allows an attacker to run "arbitrary code with elevated privileges." The update is deemed important for Windows 2000, XP and Server 2003. As for the technical details, Microsoft said:

An elevation of privilege vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of local procedure call (LPC) requests.

Separately, Microsoft issued a security advisory for Windows Sidebar. Microsoft is updating Windows Sidebar to block vulnerable gadgets from running.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Vista Patch Worked Great!

    It converted my PC back to Windows XP...

    Thank you Microsoft! ;).
    itanalyst
    • Message has been deleted.

      itanalyst
  • I knew there was something shifty about that sidebar

    Yup, if I said it once, I said it a thousand times. If there's something that's just fine the way it is, Microsoft will over-complicate it.
    Steve Goldman
  • Patch killed my show connected icon

    The patch seemed to install OK.My machine seemed stuck in molasses on start up but seems OK after another cold restart. It seems to have killed off my "show when connected" icon in the system tray. That ticks me off.
    pjy1
    • Re:Patch killed my show connected icon

      Please right-click your taskbar & go to Properties>Notification Area & make sure that Network is ticked under System Icons.
      Also, Please try to restart your PC one more time.
      jnoooo
      • To get his network connect icon

        to show... he has to restart his computer? WOW! ]:)
        Linux User 147560
  • RE: Microsoft delivers two patches for three vulnerabilities; Plugs Vista h

    Found by IBM? Does M$ care or not?
    atari8bit@...
  • 2000 updates?

    I wonder if they fixed that flaw I reported to them over three years ago now. With sample code.
    rpmyers1
    • Installing Patches

      Will this be installed via windows update on vista automatically? or will i have to go to microsoft and download? If its the later how come windows update dont do it???
      sejeff@...
      • Automatically (nt)

        .
        ye
  • RE: Microsoft delivers two patches for three vulnerabilities; Plugs Vista h

    As if it is news! My OS, Linux, has and has had 'critical' vulnerabilities, as has OS X. The important thing with all of them is that they are patched before they become compromised. Microsoft has become much better at this and deserves credit for doing so, at least as far as WinXP is concerned.
    richdave
    • So far no reports OS compromised because of this

      I agree that MS should fix things faster, but in this case there are no reports of the exploit being used...of course now that this has been announced we may see some.
      otaddy
  • RE: Microsoft delivers two patches for three vulnerabilities; Plugs Vista hole

    Nowhere in the universe of Vista troubles have I read anything about the problems I am having with it. My Toshiba notebook came with Vista. I have a hyperactive cursor (so it seems) that continually causes pages to shift to a minimum size. Especially sensitive when I do the simple act of attempting to scroll! Drives me nuts. Also, I constantly get the window that says "Internet Explorer cannot display the webpage"...I have tried everthing to get this system to work for me. Even within websites (whenever I get to one...) I have very poor surfing, even the links internal to the website seem to time-out all the time. Can anybody address these for me? Thank you in advance for the help! LUXPAX at freemerald@yahoo.com
    freemerald@...
    • How do you know...

      it's Vista that's the cause? Are you sure it's not a hardware problem? Have you even contacted Toshiba about this? The "hyperactive cursor" really does sound like a hardware problem to me.
      RocketEater
  • New patches on XP Sp3

    I Downloaded and installed XP SP3 on Monday and it started off ok. No real differences altough IE 7.0 was crippled. But yesterday they realised an automatic update so that unsigned drivers including my ATI Omega video driver are banned and the Windows help and support centre repeatedly crashed so i couldn't do a system restore. But its still in beta so it should be resolved
    James29UK
  • Until next week's patch...buy Mac...or

    Use Linux. Ubuntu is best so far for the "regular" guy.
    mikifinaz1@...
    • No thanks

      OS-X is less secure than Vista; its only advantage is obscurity, and some of us prefer to rely on our own savvy instead of the market. Besides, people are attacking the Mac now, and most Mac users don't know well enough yet to use security software.

      I used to use Ubuntu, and Mandriva, and Linux Mint (descendant of Ubuntu). I've tried others, but most of them didn't work on my system. Linux has a problem with USB that causes the pointer to stop responding to a USB mouse, and USB drives and applications to crash. Apple may have the problem as well, since it is UNIX-based; but I don't know because I haven't used USB on a Mac recently.

      Windows continues to dominates the market for real reasons, not imaginary ones. Fewer people complain about Macs and Linux boxes just because they comprise barely 5% of the global market; the percentage is actually lower for Windows, and the number of satisfied users outnumbers total Mac/Linux users by a factor greater than 10. You hear complaints about Microsoft and assume everyone is complaining, but you forget that there are a billion MS users out there.

      All the while I used Linux I was trying to condition myself to do without. It didn't work, and bugs were only part of it. And Apple is the biggest money-hungry pig there is. Macs cost twice or thrice what comparable PCs cost, and they do less. Most consumers don't have the needs I have, but businesses do. That's why they use Windows, albeit XP for now.
      santuccie
      • Odd - My Experience of Ubuntu has been the Opposite

        I've used it now since 2006 on all my home computers and it has been 100% dependable; compatible with the three laptops (including an older ThinkPad and including the WiFi); as well as the desktop. No problems at all.

        My daughter prefers RythmBox over iTunes for updating her iPod, claiming she can make her iPod do more. She says her friends now want to do the same thing (I don't know what she can do with RB that she can't with iTunes, but whatever it is it seems to give her "cool" ratings at school). Her only grumble has is that she liked MovieMaker (to do her animations to share with her friends) and I couldn't put on one on Ubuntu that she liked. PS: Any suggestions here welcome.

        Apart from this -- my biggest surprise I had was how much I DIDN'T miss windows. This has probably been helped by the fact that neither myself nor my children play windows games -- rather they use the browser and messaging software.

        So, as for the bugs in Linux - not saying they don't exist, but so far they have affected me far less than Windows. Indeed, now when I have to use Windows I get frustrated at it. Case in point - I was backing up a lot of photo files (4GB) from my Ubuntu laptop to my sister's XP machine (I use TrueCrypt on my USB flash drives).

        Well, when I was backing up the files on Ubuntu I was still able to surf the web and finish off a report - no problems at all - the machine was slightly slower but very useable. However, when it came to putting this data on my sister's machine suddenly it felt as if the machine had "died". Explorer took forever to open. The XP machine was, as the files were being copied, for all practical purposes useless.

        Just to make sure it wasn't the writing of the files from the USB device to the hard drive, I then copied the files back to a temporary area on my Ubuntu machine from the flash drive. Again, although the machine was slower it still very useable. Firefox opened a treat and was able to open and work on a document.

        To sum up - my experience of Ubuntu has been an excellent one.
        BanjoPaterson
      • Interesting view, albeit a bit misled

        My experiences have been vastly different than those you have apparently been through, assuming that you aren't speaking out of some strange rage, or, heaven forbid, jealousy..

        First off, no FUD. Macs don't have a weird USB pointer issue, don't assume that they do because they "are UNIX based," and if you haven't used it in a while, chances are, some things have changed. If you don't know anything about the issue, don't bring it up.

        You cannot claim that Vista is more secure than OSX, especially if you are basing it on ANYTHING written by Larry Dignan, who has, time and time again, been proven as an anti-Apple Hack, and just generally foolish. ("I've seen the future, and the Zune becomes a Hit"... yeah, OK, such impressive market penetration!).

        Secunia, the source for security issues/fixes/reports (remarkably, the place that Dignan/Ou uses for their FUD) states clearly:

        ?PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.?

        i'm not going to go through the play-by-play myself, but just read this: http://www.roughlydrafted.com/2007/12/21/vista-vs-mac-os-x-security-why-george-ous-zdnet-vulnerability-numerology-is-absurd/ if you are in any interest to be fair.

        I'm not even going to try and explain market penetration. The fact that you quote the "5%" value for the Mac AND Linux market shows that you are either A) ignorant or B) easily deceived. JFG "Mac market share" and read some articles, maybe you will understand.

        Oh and BBB says:

        Microsoft: 2288 complaints in 36 months, 79% positive resolution
        (does not include the XBOX - figured to be fair, otherwise it would be about 5400 complaints, 50% positive.)

        Apple: 1321 Complaints in 36 months, 92% positive resolution
        (includes all iTunes/iPod, etc customers. couldn't find a separation.)

        On a final note, the company i work for has been using Apple equipment for YEARS. We enjoy the reliability of the Apple Operating System, and the fact that the proprietary hardware makes for a stable environment. We have a Mac Mini running our mail server. It's been on for about 8 months, no restarts (other than 1 or two crit updates), no crashes, not stability issues, and all with a G4 1.66 GHZ proc. We have another one running an FTP server, and G5 Dually running as a WEB server (we have some XServes to, but these are examples.

        My laptop has been either ON or asleep for 13 days (updated iTunes, had to restart)! Get a windows laptop to last that long and still be bearable! HA! Like hibernation works....

        My point is, if you don't have the slightest idea of what the HELL you are talking about, don't speak.


        I was going to touch on Linus as well, but i think i've gone on long enough already.
        /A\V/
  • Virtual Server 2003 (x64) wont boot after patch

    Just thought i would share that after installing the windows updates on a Virtual server using windows update from webstekker the box died. It won't start. Thanks microsoft... you killed our VPS better than any hacker could.
    comasic@...