Vista hit by Patch Tuesday shrapnel

A close look at MS07-010 shows that Microsoft Windows Defender in Windows Vista is indeed vulnerable to a "critical" code execution flaw that was flagged by researchers at IBM's ISS X-Force unit.

As Ed Bott correctly noted, this patch does not show up in Vista's automatic update mechanism. That's because the anti-spyware component comes with its own auto-update system that will pull down the patch independently. All the vulnerable products -- OneCare, Antigen, ForeFront and Windows Defender -- will get the patched scan engine automatically.

This is in effect the first remote code execution vulnerability to affect Vista since the operating system hit retail stores and it should not be pooh-poohed. The flaw is an integer overflow that leads to heap corruption when Microsoft's core anti-virus engine scans a dirty PDF file. As proven recently, maliciously rigged PDF files can trigger PC takeover attacks so the potential for real damage here is high.

Some other Patch Tuesday leftovers, via an interviewed I did yesterday with Mark Griesi, program manager in the MSRC (Microsoft Security Response Center):

• All the under-attack Microsoft Office (Word and Excel) vulnerabilities have been fixed with MS07-014 and MS07-015.
• The privilege elevation vulnerability confirmed in Windows Vista is still under investigation. It's been 60 days and counting since the release of proof-of-concept exploits for this flaw.
• Also unpatched is a critical PowerPoint vulnerability that was reported to Microsoft since July 2006, seven months ago. FrSirt has the skinny.
• In addition to the Word and Office patches, pay special attention to MS07-016, which covers three serious Internet Explorer bugs. All three flaws can be exploited by simply luring a surfer to a malicious Web page. IE 7 users are at risk too.

Also see Larry Dignan's riff on the problems associated with a strict monthly patch release cycle and the Internet Storm Center's recommendations on prioritizing the February updates.