Microsoft delivers critical Vista patches in June

Despite the new software security development procedures at Microsoft, Vista has some significant holes that should be plugged right away.

Along with June's trove of patches from Microsoft come a few Vista-related problems, which goes to show that even with Microsoft's new code-review techniques in place for Vista and the company's newer products, it is still possible that weaknesses can exist.

Worse, one of the Vista issues involves a possible disclosure of administrative credentials for non-admin users -- a security hole through which it might be possible to launch other exploits. Those with Vista deployments of any size should make sure this particular fix is installed as promptly as possible. Machines shared by multiple users should be considered especially vulnerable.

Critical Vista patches

Microsoft has addressed a group of vulnerabilities in Internet Explorer (5.01, 6 and "most supported releases" of IE 7) with a fix that eclipses an earlier security bulletin released in May. Most of the problems involve remote-code execution issues that could be exploited by having someone visit a specifically designed Web page.

Sadly, IE 7 on Windows Vista is affected by this family of issues, although not all of the vulnerabilities listed show up in Vista. The security bulletin that describes this problem also makes mention of a Knowledge Base article, #933566, which states that those who install the fixes for this group of problems may run into some issues.

A vulnerability in the Windows Schannel Security Package, which implements the SSL and TLS Internet security protocols, has been addressed. This problem could be exploited by having someone visit a specifically designed Web site. Windows XP, Windows 2003 and Windows 2000 are affected by this problem, but Windows Vista is not affected.

A fix for security issues in Outlook Express 6 in Windows XP and Windows Server 2003, as well as Windows Mail in Vista, has been released. Most of them have to do with the way URLS are parsed or navigation requests are handled; these problems could be exploited by sending someone a specifically-designed e-mail message or directing them to a specially-designed web site.

A problem with the Win32 API has been addressed, one also exploitable through a specially-designed web page. Windows XP, Windows 2000 and Windows Server 2003 are affected; however, Windows Vista is not. (This bulletin supersedes one issued in 2006.)

Moderate Vista problem

A problem with Windows Vista could allow a local unprivileged user to access information in the Registry that they ought not to normally be able to access, such as administrative logon credentials. The user would not be able to immediately change settings, and they would need to be logged on locally to do anything -- but they would be able to read things they ordinarily should not.

It's a little puzzling why this issue is only rated as "Moderate," since exposing admin credentials in any form ought to be taken seriously. There's also no known way to work around the problem other than to apply the recommended security update. Vista machines upgraded from XP machines are to be considered especially vulnerable since there may be other information on said systems that could be exposed through this issue.

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Read more on Operating systems software