» W3Exchange
   http://www.w3exchange.com/index.html
» Press Releases
   http://www.w3exchange.com/view_forum-id-11.html
» Microsoft's Latest Patches Include First Vista Fix
   http://www.w3exchange.com/view_topic-id-1749.html

Robert - 2007-06-13 21:33:46

Microsoft has issued a new set of patches for vulnerabilities affecting Internet Explorer and the Windows operating system, including the first one that is specific to Vista. "What this implies is that it is a flaw in the newer core, which was written under Microsoft's secured computing initiative," said Amol Sarwate, research manager of the vulnerability research lab at Qualys.

Microsoft  has released its latest batch of fixes in this month's Patch Tuesday announcement, employing a new format that makes it easier for IT administers to single out areas of risk, according to Amol Sarwate, research manager of the vulnerability research lab at Qualys.

The new format doesn't give users a total count of vulnerabilities, however. For instance, Sarwate told , one patch in this release fixes six different vulnerabilities in Internet Explorer  -- a less-than-transparent accounting of the number of flaws the company is addressing.

Many of the newly uncovered vulnerabilities this time are variations on existing themes: flaws in Internet Explorer, for instance, or proof-of-concept vulnerabilities on which active development is occurring. Perhaps most worrisome -- and intriguing, according to at least one security researcher -- is a possible vector in SSL (Secure Sockets Layer), which is supposed to be the gold standard for Web site security.

What's the Problem With IE?

If it seems as though IE flaws are a recurring theme for Microsoft, that's because they are.

"In many ways, it is the same old, same old," Mark Loveless, security architect at Vernier Networks , told TechNewsWorld.

The good news is that Microsoft's reactive process works fairly well, which means it is less likely to issue a slew of code reds -- as it used to in the days when huge, well publicized worm attacks threatened the Internet on a regular basis.

Another dubious advantage of IE is that spammers are paying malware writers for their best worms and saving them for zero day exploits. "People aren't blowing their zero day exploits on goofy worms anymore," Loveless said. "Rather, they want the worms they do write to keep a low profile in order to remain on computers that much longer."

Another critical flaw, found in Microsoft's SSL channel, would allow a hacker  to gain control or host a Web site that gives out "bad" security certificates, Sarwate said.

From a technical point of view, this is the most interesting flaw, according to Vernier Networks' Loveless. "It is interesting because there is only the potential for remote code execution, which means it would be hard to hack." The fact that it can be hacked at all is what makes it interesting, he explained.

It depends on the platform, FireEye's Harrington said, noting that the SSL flaw would be hard to remotely execute on Windows 2000 but not on Windows XP. "Of course, it is Windows XP that is much more commonly used."  That particular flaw is not found in the Vista version, he said.

Vista Issues

One moderate vulnerability in the release is specific to Vista, Sarwate said. There have been Vista vulnerabilities before, but they were also found in earlier versions of Windows. "This is the first time there is a vulnerability that only exists in Vista. What this implies is that it is a flaw in the newer core, which was written under Microsoft's secured computing initiative."

This flaw allows low-privileged users to access information that should only be accessed by the top-privileged users, he said.

» Print this topic