Microsoft slaps bandaid on IE, MS Word

Microsoft slaps bandaid on IE, MS Word

Summary: Microsoft's dominant Internet Explorer browser has undergone a security makeover to correct at least four vulnerabilities that could be used in code execution attacks if a user simply surfs to a maliciously rigged Web page.


Microsoft slaps bandaid on IE, MS WordMicrosoft's dominant Internet Explorer browser has undergone a security makeover to correct at least four vulnerabilities that could be used in code execution attacks if a user simply surfs to a maliciously rigged Web page.

The cumulative IE update (MS07-057), shipped as part of this month's Patch Tuesday updates, carries a "critical" rating on all versions except for IE 7 on Windows Server 2007. Internet Explorer 7 on Windows Vista is affected.

In all, Microsoft released six bulletins (one was withdrawn at the last minute) with patches for at least nine software vulnerabilities.

Two of the four vulnerabilities being patched -- browser entrapment bugs that makes it easy to launch phishing attacks -- was first discussed back in February when Michal Zalewski published proof-of-concept exploits. Microsoft slaps bandaid on IE, MS Word

The ever-present Microsoft Word application also gets a major bandaid in this patch batch. The software giant's 60th bulletin for 2007 (MS07-060) patches a "critical" remote code execution vulnerability exists in the way the word processing program handles specially crafted Word files.

"The vulnerability could allow remote code execution if a user opens a specially crafted Word file with a malformed string," Microsoft warned.

The flaw affects users of Office 2000, Office XP and Office 2004 for Mac.

A third "critical" bulletin (MS07-055) provides cover for a remote code execution vulnerability affecting the Kodak Image Viewer, formerly known as Wang Image Viewer. This flaw is most serious on systems running Windows 2000 but Microsoft warned that Windows XP and Windows Server 2003 may also be affected if upgraded from Windows 2000.

Windows Vista users should also pay attention to MS07-056, which covers a nasty flaw in the way Outlook Express and Vista's built-in Windows Mail handles NNTP responses. This bug could be exploit if a user simply browses to a booby-trapped Web site.

The October updates also includes MS07-058, covering an "important" denial-of-service flaw in RPC authentication (Windows Vista is affected); and MS07-059, which corrects a privilege escalation bug affecting Windows SharePoint Services 3.0 and Office SharePoint Server 2007.

Topics: Browser, Collaboration, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Way to go Microsoft!

    Didn't Microsoft just yesterday announce to the world that it was discontinuing its Genuine Authentification to allow download of Internet Explorer 7...even for hacked copies of Windows, and now we hear that there are MORE vulnerabilites in IE7?
    • oh my god the sky is falling....

      oh wait, bugs happen get over it. If you want something perfect run hello world.

      - Sam
    • What does WGA have to with bug patches?

      • WGA keeps people from applying patches

        Users who have had false hits on WGA, or who know of the high rate of false hits, are not likely to apply patches. They worry about the chance that they will be slammed with the installation of ANY MS software.

        I know a number of people who refuse to load the latest version of Media Player because of the spyware that's been slipped into it. Their copies of Windows are legal, but they can't afford to burn the time it takes to prove it, just to get the latest upgrade of something that's working for them now.
        • Wrong

          Personally, I have not seen one person who has gotten slammed by a 'false hit on WGA'. Not one. I have three Windows computers, two running XP, one running Vista, and none of them have EVER had a false WGA thing pop up except when I was running a game with a certain online 'cheater-prevention' software that was known to give those errors when run on a system where DEP was also activated in both software and hardware.

          That's it, and I haven't seen one warning of that since I put it into the "exclude from DEP" list in Windows Vista.
          • Well I have been slammed plenty...

            to the point I've actually started encouraging my clients to switch to Linux or anything but Microsoft! I and my clients have been hosed pretty bad by this; and it has ruined my trust with anything from Redmond. I have had serious WGA issues on XP and Office 2003.

            Course you haven't "seen" my experience so I can't expect you to believe me. I haven't seen an earthquake but I am pretty sure they are real.
          • slammed plenty...

            Earthquakes are real I assure you they are! I belive ya JC!
          • I think the more appropriate advice for them is...

   find someone who can manage their systems properly. This is not to imply WGA issues do not exist. But you shouldn't be getting slammed by them. One or two I can understand. But slammed? I hope you don't think that is normal.
          • Probably good advice ye; but...

            the severity of the issue with my situation was "slammed". I wasn't managing their systems; I've left that kind of work. These are just home users, and SOHO's. I try to train small office clients how to manage their own systems. I like this kind of business; it is more rewarding to me even if I am not getting rich. I have turned down offers from banks and financial institutions because I don't like that climate anymore.

            As far as the term slamming - when it turns your world upside down topsyturvey; and forces you to suddenly change your whole business model; I call that slammed!

            When a Microsoft technician has to work on your main box for 2 hours because WGA fouled up the updates; mean while - I got clients screaming at me cause they have the same issues and I got to take care of them, with no mobile unit(thanks to WGA) - AAAUUGGGHHH! I shouldn't be discussing this; I get too emotional!

            I now make Microsoft fix all issues on supported software, even if it takes longer, so that Redmond bean counters will hopefully realize how much it is costing them! After all they sure don't care how much it is costing us! Maybe this was an isolated geographical area incident, but I doubt it from what I read on the blogs and forums.

            I've been steering newbies to Mandriva and Linspire as they were all buying new boxes anyway and the discount houses sell OEMs with these preinstalled and supported for a year. Must be good for newbies because it has reduced my calls to almost zero with those individuals. I have only had one customer that has reverted back to Microsoft.

            I don't miss the loss of business at all, because it gives me street credibility. I need longer vacations anyway; I can always find a new career!
          • Wrong

            WRONG? What makes it wrong? You are one person with oh big woop 4 computers. OH wow your word is LAW.. I have 9 computers running Win 2000 through Vista, I had 2 get WGA hits the Vista was a false hit although I admit the XP was not false ( a poorly patched XP fix while in china with no software along had to do a full format and restore to fix it correctly therefore passing WGA)
          • Your small sample does not equal a Universe

            Even though you (and some others you know) have not experienced a WGA snafu, doesn't mean the problem does not exist. The net is full of stories about WGA failures, just read the blogs, blog replies, and popular message boards, etc. It is real. A defective system built on a buggy OS, and you don't think WGA problems are real?

            It is already a known fact that pirates can bypass WGA and that it is really the legitimate customers that are negatively affected by it. Microsoft needs to learn that it cannot keep punishing its customers and expect them to keep embracing their newest offerings.

            The US automobile companies learned the HARD WAY what happens when you have market control and treat your customers badly. When other choices came along, they abandoned the "Big Three" (General Motors, Ford, and Chrysler) in record numbers. History tends to repeat itself so Microsoft really needs a history lesson refresher course.
  • A bit sensationalistic...

    "undergone a security makeover" -- hardly. It's just another patch. I'd reserve the term "makeover" for things like XPSP2.

    "ever-present Microsoft Word application also gets a major bandaid" -- Nope, just another patch. I'd say its more important to point out that Word 2003 and 2007 are not affected.

    "which covers a nasty flaw" -- Aren't all flaws nasty?
    • But this is a Microsoft Security Bulletin

      Hyperbole and extreme adjectives are always required. For any other OS, it is just another security update/patch. But Microsoft gets bandaids and other assorted loaded nouns.

      Guess it is just another story written to generate hits.
      Confused by religion
      • band-aid

        You are correct,but it is basically primarily a trademark, can certainly be used as a noun, but is also correct as an adjective! How colourful the English language can be?
        Well done.
        Richard Turpin
  • Do you even know what "band-aid" means?

    I am not sure you know what "bandaid [sic]" means. I suggest you look it up in the way that it is commonly used in the context of software.

    Or, can you at least tell us then why you consider this to be a band-aid, as opposed to the numerous patches you get from Apple or any version of Linux.

    Or are you just too much of an anti-MS fanboy to even stick to the facts?

    • Most of Microsoft's patches for IE are bandaids

      The problem is that the majority of the vulnerabilities in IE, and many vulnerabilities
      in other applications (including third party applications) are due to some inherently
      unsafe APIs that are shipped as a standard part of Windows and promoted as the
      standard way to perform common tasks.

      * The underlying technologies beneath COM object embedding in HTML and other
      document formats are not inherently unsafe, however the way they are
      implemented in many applications and components (including IE, Word, and the
      HTML control itself) are insecure. It is not possible to fix the security problems
      inherent in the design without making major incompatible changes to the APIs and
      breaking existing applications... and Microsoft is unwilling to do that.

      * The normal mechanism for executing a program in Windows, the old DOS based
      command line, provides no secure way to encapsulate individual components of the
      command line such that they will be reliably read as intended by arbitrary third-
      party applications. This is what's behind the IE/Firefox flaw and many other
      exploits.This can not be fixed without changing virtually every helper application to
      use something even as minimally structured as the UNIX 'exec' command line.
      Ironically, that API has been available in every version of NT ever shipped, via the
      POSIC subsystem, but Microsoft's insistence on isolating and deprecating the
      subsystem keeps it from being used.

      Since they are unwilling to break existing applications, all they can do is look for
      specific instances where someone has found a way to take advantage of these flaws
      and slap a bandaid on them.

      Now I don't know whether these particular patches are bandaids, but so many of
      Micrsoosft's patches HAVE been bandaids that it's not a completely unreasonable
      • Unwilling?

        Perhaps that's true, but it's also a case of being unable to do that. Can you imagine them making a change that would break most applications? Poeple complained about apps not working in vista (and blaming MS), even though the only reason most (all?) of those apps failed was their failure to adhere to 6-7 year old standards.

        Breaking vertical applications in corporate America in a patch would definitely be a huge mistake (and only acceptable if companies had years to prepare for such changes)

        Are these bandaids? I don't know, but a quick change would not be acceptable, even if MS wanted to do it.
    • "band-aid" means?

      Sad ..... Peter that was just a sad sorry posting in your own words PATHETIC.....
  • Another Yawner for Vista Users

    For those who keep asking what Vista brings to the table here's your monthly reminder.
    • For those who keep asking

      what Windows brings to the table here's your monthly reminder.