Windows zero-day flaw gets a fix

Microsoft's Tuesday patches include a fix for a "critical" Windows flaw that was first disclosed in December and also affects Vista.
Written by Joris Evers, Contributor
Microsoft on Tuesday issued five security bulletins with fixes for eight flaws, including a "critical" zero-day vulnerability in Windows that also affects Vista.

Four of the security bulletins released as part of Microsoft's monthly patch cycle address problems in Windows. Three are tagged "critical," Microsoft's highest severity rating, while the other is pegged "important," a notch lower. The most serious rating is for bugs that could cause a computer to be fully compromised with little, if any, user action.

Among the Windows patches is a fix for a zero-day vulnerability first disclosed in December. Security experts had initially deemed the flaw less serious, stating it could be exploited only by someone with access to a vulnerable computer.

The flaw lies in an essential Windows component called the Client/Server Run-time Subsystem and critically affects all current Windows releases, Microsoft said in security bulletin MS07-021. "If a user viewed a specially crafted Web site, an attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said.

The MS07-021 update is the only patch released Tuesday that affects Vista. All of Tuesday's Windows fixes apply to its predecessor, Windows XP. This includes a critical hole in the Microsoft Agent, a help tool that succeeded the famous Clippy Office assistant. The Microsoft Agent flaw also affects Windows 2000 and Windows Server 2003.

The Microsoft Agent is flawed in the way it handles certain specifically crafted Web links. The vulnerability could be exploited through a malicious Web site, Microsoft said in security bulletin MS07-020. The Windows Agent has been patched up before.

The Client/Server Run-time Subsystem and Microsoft Agent bugs are the most serious in Microsoft's April patch pack, Vince Hwang, a group product manager at Symantec Security Response, said in an e-mailed statement.

"These patches are critical because there is an increased potential for exploitation since these vulnerabilities affect multiple versions of Windows," Hwang said.

Windows XP also has a critical vulnerability in the operating system's plug-and-play feature, which has been a patch target in the past and was exploited by the Zotob worm in 2005. The vulnerability could be exploited without any action by the user, but an attacker has to be on the same subnet as the target machine, Microsoft said in bulletin MS07-019. Attacks may also be blocked by a firewall, it said.

Despite the mitigation, miscreants are likely to jump on the plug-and-play flaw, said Tom Cross, a researcher at IBM Internet Security Systems. "Due to the ease of exploitation, we are taking the Universal Plug and Play flaw very seriously and expect to see an exploit by the end of the week," Cross said in an e-mailed statement.

Microsoft's fifth Patch Tuesday bulletin, MS07-018, addresses a pair of vulnerabilities in Content Management Server, including one deemed "critical." An attacker could gain control over Web sites maintained by the Microsoft software by exploiting the flaw, which lies in the way it handles certain requests.

Microsoft's Tuesday patches come a week after the company issued an early security update to repair seven other Windows vulnerabilities. Microsoft rushed out that update because cybercrooks were using a flaw in the way Windows handles animated cursors to attack PCs. Microsoft did not release any fixes in March.

Editorial standards