Microsoft released six security updates Tuesday, three of which
address critical flaws in Excel, Windows and the .NET Framework.
And it's the .NET issues in particular that have security experts
concerned.
The software giant fixed three .NET flaws with the release of
MS07-040, two of which allow attackers to launch malicious code
remotely against client machines utilizing Microsoft's platform for
building and running specialized applications. The company added
that attackers could exploit the third flaw to access sensitive
information on Web servers running ASP.NET.
Don Leatham, director of business development at Scottsdale,
Ariz.-based PatchLink Corp., said IT administrators should deploy
this fix with the highest urgency, given the pervasiveness of
.NET.
"This seems to affect all versions of .NET, except the most
recent (version 3.0)," he said. "If the user visits a Web site that
runs Active Scripting code, which is very common in the Windows
world, such a script could take advantage of this flaw."
While many experts are expressing similar views, the issues
addressed in
MS07-039 are of greater concern to Eric Schultze, chief
security architect at Shavlik Technologies LLC, in Roseville, Minn.
Microsoft said that update fixes a flaw attackers could exploit in
implementations of Active Directory on Windows 2000 Server and
Windows Server 2003 to launch malicious code remotely or cause a
denial of service.
"The most serious patches depends on what's most important to you,"
Schultze said. "If you have a lot of clueless users who browse
potentially malicious Web sites, the .NET update is critical. But
if you believe the domain controller is most important, and I do,
then MS07-039 is the most critical."
He said IT shops will always be dealing with clueless users, but
when it comes to protecting the crown jewels, the domain
controller, which is a key user authentication server in most
organizations, is his greatest concern. "According to this
bulletin, you can own my domain controller just by looking at it,"
he said. "I would patch this first."
The third critical bulletin released this month is
MS07-036. Microsoft said it addresses a variety of flaws in its
Excel application.
"These vulnerabilities could allow remote code execution if a
user opens a specially crafted Excel file," Microsoft warned.
"Users whose accounts are configured to have fewer user rights on
the system could be less affected than users who operate with
administrative user rights."
Microsoft rated two of the six bulletins as important. One is
MS07-037, which fixes a flaw attackers could exploit to
remotely launch malicious code if a user views a specially crafted
Microsoft Office Publisher file. The other is
MS07-041, which fixes another remote-execution flaw attackers
could exploit by sending specially crafted URL requests to a Web
page hosted by Internet Information Services (IIS) 5.1 on Windows
XP Professional Service Pack 2.
"An attacker who successfully exploited this vulnerability could
take complete control of the affected system," Microsoft said.
"This is an important security update for all supported 32-bit
editions of Windows XP Service Pack 2."
Finally, Microsoft released one bulletin with a moderate rating.
MS07-038 fixes a Windows Vista flaw that could allow incoming
unsolicited network traffic to access a network interface. "An
attacker could potentially gather information about the affected
host," Microsoft said.