Microsoft Squashes 7 Critical Bugs in Excel, .Net, Active Directory

By Lisa Vaas Print this article Print

Microsoft issues patches for seven critical flaws in Excel, Windows Active Directory and the .Net Framework.

Microsoft has issued patches for seven critical flaws in Excel, Windows Active Directory and the .Net Framework.

Those seven vulnerabilities cover the worst-hit applications. The July 10 Patch Tuesday saw a total of 11 vulnerabilities fixed in six security bulletins.

Analysts were warning about the critical .Net flaw ahead of the bulletin release, given the framework's core role in supplying code to a vast array of Windows applications, such as in pre-coded user interfaces, data access components, database connectivity, cryptography, Web application development, algorithms and network communications modules.

Indeed, Web application security experts said, a critical .Net bug has the potential to affect pretty much all applications on all of Microsoft's actively supported platforms.

As it turns out, the security patch for the critical .Net vulnerability resolves three privately reported vulnerabilities. Two of those flaws could allow remote code execution on client systems with .Net Framework installed, and one could allow information disclosure on Web servers running ASP.NET.

Dave Marcus, security research and communications manager at McAfee Avert Labs, said that the .Net bugs are easily exploitable, making them high-priority patches. "The vulnerabilities in the .Net Framework could be exploited through malicious Web sites," he said in a statement. "Simply visiting such a Web site would result in malicious code being installed on the victim's computer."

Click here to read why the need to fix CPU bugs and vulnerabilities is becoming an important issue.

The .Net vulnerabilities include a PE (Portable Executable) Loader flaw (CVE-2007-0041). The PE format is a format for executables, object code and DLLS that's used in 32-bit and 64-bit Windows operating systems. It's called "portable" because the format can be ported across all 32-bit and 64-bit Windows operating systems.

The format is a data structure that serves to encapsulate information needed by a Windows operating system loader to managed wrapped executable code, including dynamic library references for linking, API export and import tables, and more. PE is also the standard executable format in EFI (Extensible Firmware Interface) environments.

A remote attacker who manages to exploit the vulnerability in .Net's PE Loader could change the system with the permissions of a logged-on user. If a user is logged in with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

One mitigating factor for the .Net PE Loader flaw is that user interaction is required; a Web-based attacker has to host a site with a malicious page and lure a victim onto it in order to exploit the vulnerability.

Another mitigating factor can be limited user rights. Users running with restricted rights give attackers less ability to tamper with a system. Also, by default, supported versions of Outlook and Outlook Express open HTML e-mail in a restricted sites zone. That zone prevents Active Scripting and ActiveX controls from being used when reading HTML e-mail. But if a user clicks on a link within the e-mail, all bets are off; they're still potentially vulnerable to a Web-based attack. Internet Explorer on Windows Server 2003 also runs in a restricted mode known as Enhanced Security Configuration. That mode sets the security level for the Internet zone to High.

The second .Net flaw is a null byte termination vulnerability (CVE-2007-0042) that can lead to information disclosure. A successful attacker could use the flaw to bypass the security features of an ASP.NET Web site, after which he or she could download the contents of any Web page. A mitigating factor in this case is that Web applications developed with ASP.NET that restrict all untrusted input variables, including null bytes, to a range of expected values or characters would not be affected.

Read the full story on eWEEK.com: Microsoft Squashes 7 Critical Bugs in Excel, .Net, Active Directory

This article was originally published on 2007-07-10
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.