MS Patch Tuesday: Vista dinged again

MS Patch Tuesday: Vista dinged again

Summary: The carefully crafted image of Windows Vista as the most secure operating system of all time is beginning to take a beating.For the second time this month, Microsoft has shipped a security bulletin with patches for a "critical" Vista vulnerability that puts millions of users at risk of code execution attacks.

The carefully crafted image of Windows Vista as the most secure operating system of all time is beginning to take a beating.

For the second time this month, Microsoft has shipped a security bulletin with patches for a "critical" Vista vulnerability that puts millions of users at risk of code execution attacks.

The update -- MS07-021 -- is one of five bulletins released in Microsoft's scheduled batch of patches for April. Four of the five are rated "critical," Microsoft's highest severity rating.

The five bulletins contain fixes for a total of 8 vulnerabilities affecting multiple versions of Windows and the Microsoft Content Management Server.

The total patch count for April stands at 15, including the flaws covered in last week's emergency animated cursor (.ani) update.

The remote code execution flaw that dinged Vista is an error in the way the Windows Client/Server Run-time Subsystem (CSRSS) process handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution.

In all, the MS07-021 update fixes three different CSRSS bugs, all affecting Vista. However, only one of the three is rated critical across the board. The risk from the other two are limited toprivilege escalation and denial-of-service conditions.

Here's a brief synopsis of today's patches:

MS07-018 (Critical) -- Fixes two flaws in Microsoft's Content Management Server, a product that allows customers to build, deploy, and maintain Web sites. One is a remote code execution vulnerability in the way HTTP requests are handled and the second bug could cause spooofing or cross-site scripting attacks.

MS07-019 (Critical) -- A remote code execution vulnerability in the Universal Plug and Play service. An attacker can use specially crafted HTTP requests to run arbitrary code in the context of local service.

MS07-020 (Critical) -- A remote code execution vulnerability in the way Microsoft Agent handles certain specially crafted URLs. This puts Windows users at risk of drive-by Web-based attacks.

MS07-021 (Critical) -- This covers three different CSRSS vulnerabilities, all affecting Windows Vista and prior versions of Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. Exploit code for some of these are publicly available.

MS07-022 (Important) -- A Windows kernel flaw that could allow privilege elevation attacks. This occurs the Windows Kernel allows for incorrect permissions to be used when mapping a memory segment.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Interesting......

    Pagan jim
  • Guess Bill G was wrong

    "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."

    Guess every 2 weeks is better then.

    Nice try Billy Boi, you really are scared!
    • Basically

      I laughed the day he said that and said to myself, whelp he asked for it. I think him saying that is up there with the "The internet is made of tubes.." comment. Sad sad sad.
      Brandon Dixon
      • Let's not forget Devorak's comment...

        That Mac users like Vista better than Windows users, or something of that effect.
        What a joke, right?
  • Patch Tuesday

    For the $200-$700 plus tax People paid for this operating system they sure are
    getting all they can eat.
    • any new code will have holes...

      Once the public gets to go through it with a fine toothed comb. That is why I am waiting to go to Vista for a while.
  • And still, with the momentum of the install base

    who's unseating this patch sick behemoth. What underdog is replacing each and every sick doze box out there, next week, next month, . . where are the champions . . of the world and how long before they are the majority and insecure Windows a shadow, a small fry, a niche market of off of the box users huddled in basements and lowly digs?
    • Nicely done, that...

      I tip my hat to you, boot_agnostic, that was well-done. Soaring rhetoric, nice visuals; you should become a politician. Failing that, at least zdnet can give you a job. God knows half of their writing staff is sorely challenged to compose the most elementary of sentences.
  • DEP? UAC?

    A couple of things....

    The vulnerability in Vista is old code, and affects all versions of Windows. I'm still waiting to see the first Vista-only security ding.

    Second, do any of the Vista security enhancements block the vulnerability? UAC should block privilege elevation attacks. DEP should block buffer overrun attacks. IE7 protected mode should prevent code from being downloaded for execution. Do any of these provide any protection? Do you have to turn off all of Vista's security enhancements in order to be affected by the vulnerability?

    Complete reporting, please! Vista [i]is[\i] the most secure version of Windows, but that's not a simple matter of removing all the vulnerabilities. It's a layered defense structure, and any layer that stops a vulnerability is doing it's job, even if the underlying code still has a problem that's been there for a decade and that could, in theory, be triggered.
    diane wilson
    • Thank are absolutely right!

      Thanks for posting something worth reading. I'm tired of all the posturing of the lovers and haters. Those who like Windows will use it, those who like Linux will use it. What would be more valuable is if those writing these articles provide a bit more 'meat' to the story and indicate when these vulnerabilities are/could be exploited and whether or not there are ways to minimize the impact. Also, as you mention, does UAC, DEP or IE7 protected mode mitigate these? I have used both Linux and Windows and have to say, there's no switching for me...Windows is my choice. Now I must admit that somethings could still be cleaned up and turned some security on by default would be better. For example I changed the DEP setting right away and so far only had one program have an issue with it. I added it to the list of exceptions and all is fine. Why Microsoft has DEP on for Windows programs and services only I have no idea, but the truth of the matter is Vista is by far still the most secure version of Windows I've seen to date, and by far the easiest, most intuitive, most robust and still has the most supported 3rd party applications to date.
      • Your Right as Well

        And Your Right as Well.

        Truth is, If no one ever went to Google porn sites, there
        would be no issues to talk about.

        The holes were meant for porn. Microsoft has no
        intentions of blocking it.

        It's the money tree for Microsoft and Virus Software

        These sites have all the code. There's no virus software
        that works if you go there.

        I have one PC that never goes on line for any reason.
        Virus software scans it and repeats the same issues over
        and over. For the last year.

        The software just makes up issues I've never had.
        It's never been online.

        I just deleted the software, and everything works

        Here's another point.
        No one here has ever reported what the paranoia is,
        proof of how they got it,
        or proof they ever had it.

        With images embedded with code now.
        I have to guess people think they are safe downloading
        them from tainted sites. Then passing them along.

        Even MySpace is supporting porn sites.
        I saved all email reports directed to them.
        They say it's been taken care of, when you still get the
        same exact ones coming in daily.

        Here is the best thing anyone can do.
        Reinstall OS once a year regardless.
        Trying to repair systems, will just leave a marked spot of

        I could bet $5000.00, you dedicate one PC to surf only
        porn, it will come to a halt shortly. Or never boot again.

        I'm seriously looking at Apple, if I can get through the
        learning curve.
        I watch my partner daily, and not one second of any
        issue ever comes up.
        And no virus software period.

        It's paid for itself right there alone. Compared to what
        I've invested.

        More Patches?
        So when do I get to play?
        I'm too busy trying to plug holes like a dam dike using
        water based caulking.
        • Proof it's Porn, White Paper

        • Proof it's Porn, White Paper


          Link is broken, You'll have to copy/paste
    • Not exploitable according to Dave Aitel

      MS07-019 is not exploitable according to Dave Aitel on Daily dave,

      "Some notes on MS07-019 - we threw a quick and dirty PoC into Partners and Kostya and I have looked at it to see what's up.

      Three things combine to make it "unexploitable":
      DEP, SafeSEH, and character filtering.

      DEP by default is on, since this is svchost.exe."
      • George, you really need to pay attention

        MS07-019 is *not* the bug that is rated "critical" across the board, including Vista. Go read the bulletins.

        Ryan Naraine
        • Sorry, doing too many things

          Still, is one bug worthy of declaring a "bashing"? Seems sensational to me. Do we even know MS07-21 is exploitable or that it bypasses UAC?
          • oh George - the hypocrisy

            the use of "sensational" against a fellow Zdnet blogger - pot kettle black as you always sensationally diss everything non-MS
          • Who says he wasn't sensational?

            That first sentence is sensational period. It's a straw man's argument.
          • Re: Who says he wasn't sensational?

            I wasn't commeting on if it was or wasn't - I was just pointing out your hypocritical stance of complaining about sensationlism where you the most guilty bloggers of sensational blogs
    • First Vista-only bug? Already happened.

      Look at the executive summary of MS07-021, where the Affected Platforms information is laid out for CVE-2007-1209:

      Windows 2000 Professional SP4: Not Affected
      Windows 2000 Server SP4: Not Affected
      Windows XP SP2: Not Affected
      Windows Server 2003 RTM: Not Affected
      Windows Server 2003 SP1: Not Affected
      Windows Server 2003 SP2: Not Affected
      Windows Vista: Important

      This bug, as documented by eEye, is a Vista-only regression introduced in the transition from LPC (NT 4.0/2000/XP/2003) to ALPC (Vista) in the Client/Server subsystem.

      Also, some technical errors in your statements...

      UAC doesn't block privilege elevation, it creates a reduced privilege environment. UAC makes existing escalation avenues <b>more</b> important, not less important. What's more, IE 7's Protected Mode <b>does not block downloading code</b>. It causes malcode to run in a sandboxed, low-rights environment. The only reason Vista users survived .ANI, for example, is because the exploit was not combined with a privilege elevation attack like a kernel bug to break out of protected mode.

      Ryan's point wasn't challenging that Vista is the most secure <b>Windows</b> of all time. He said "the most secure <b>operating system</b>", which leaves open other possibilities than Windows platforms. Microsoft doesn't make the world's only OS, you know.

      DEP provides some protection against the CSRSS vulnerability -- if you're on an x64 CPU. IE 7 Protected Mode and UAC provide none, because CSRSS runs as SYSTEM. It's possible to exploit this vulnerability in spite of DEP, and ASLR provides only rudimentary protection against the remote vector.