Four Critical Fixes Coming for Windows, IE, MailBy Lisa Vaas | Posted 2007-06-08 Email Print
The four worst vulnerabilities out of the pack of six security updates can lead to system takeover.Microsoft will send out six security bulletins, four of them for problems rated "critical," the company's highest severity rating, on Patch Tuesday, June 12. All four of the most serious vulnerabilities, in Windows and in IE, can lead to systems getting hijacked.
Three of the critical problems are in Windows; one is in Internet Explorer, one is in Outlook Express and Windows Mail, and there is one "important" fix for Visio. Also, a moderate bug has been found in Windows.
Microsoft's advance notification, sent on June 7, was devoid of technical detail on the security fixes. The company also shrugged its shoulders about describing attack scenarios, saying that it couldn't depict proper scenarios at this point "due to a lack of details."
This particular advance notification is the first of Microsoft's revamped ANS (advanced notification service) format, in which the company said it would be providing more detail than in previous advance notifications.
Microsoft Security Resource Center's Mark Miller said in a May 16 blog post that the change is meant to help out customers who need more information in order to brace for patch testing and deployment.
The ANS is now being published at the same URL used for a given month's security bulletin summary page.
The look of Microsoft's security bulletins also is getting a makeover. Miller said customers like the level of detail but want to get to the severity and its applicability to their environment more quickly. The new design moves decision-making information to the top of the page, replaces a list of affected products with a table that links to update download locations, cuts down on repetition, clarifies section titles and rearranges content in a more intuitive fashion.
According to eEye Research's Zero-Day Tracker, there are currently three outstanding zero-day flaws in Microsoft products: two in Windows and one in PowerPoint. The highest criticality rating of those publicly disclosed flaws and those used in attacks, however, is medium. .
Microsoft did say that it isn't aware of any of the flaws being exploited at this point. Those who are affected can contact the company at email@example.com.
Microsoft may not have any details on the security holes, but the company had ample advice on how to protect a network from the mystery bugs.
First, the company advised, permit local access for trusted individuals only. "Where possible, use restricted environments and restricted shells," according to the advance notification. Other tips from Microsoft:
- Provide local interactive access for trusted individuals only.
- Block external access at the network boundary, unless external parties require service.
- If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
- Deploy NIDS (network intrusion detection systems) to monitor network traffic for malicious activity.
- Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit.
- Implement multiple redundant layers of security.
- As an added precaution, deploy memory-protection schemes (such as non-executable stack/heap configuration and randomly mapped memory segments). This may complicate exploitation of memory-corruption vulnerabilities.
- Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality.
Check out eWEEK.com's Security Centerfor the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.