Microsoft Corporation (Nasdaq: MSFT) today released their monthly security bulletin. This time there are only two patches.
MS07-061
The first issue, rated by Microsoft as critical, is also known as CVE-2007-3896. This vulnerability exists in how the ShellExecute function, a core component of Windows®
, handles URIs containing percent (%) signs. It is present in those Microsoft® Windows XP and Windows Server® 2003 systems that also have Windows Internet Explorer® 7 installed. By injecting a specially crafted URI, a remote attacker can execute arbitrary programs, in other words break into and hijack the computer.
This security hole has been immensely exploited. Probably the best-known example is the bulk-mailing of maliciously crafted PDF files that compromise the computer should they be read in a vulnerable version of Adobe Acrobat or Reader.
As a patch now finally is available, applying it is highly important. Adobe had earlier provided a workaround in the form of a version update that addressed the issue (under the number CVE-2007-5020) as far as those Adobe products are concerned. Unfortunately, Adobe users seem less than meticulous in keeping their software up to date (even though recent Adobe products include an automatic update facility). Anyway, the Microsoft update should fix the root of the problem, i.e. make ShellExecute handle URIs safely.
Some say this should have been done as early as last summer, since the vulnerability was disclosed in July 2007. Microsoft has explained the long wait by noting that ShellExecute is such a critical function that extensive testing has been necessary in order to maintain compatibility. However, there are accounts of Microsoft initially having dismissed reports of this vulnerability, maintaining that the issue did not warrant any changes in their software. Still, what’s important is that an update is now finally available.
MS07-062
The other update, rated as important, resolves a spoofing vulnerability in Windows DNS servers.
External links:
- “Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)” (Microsoft security bulletin MS07-061)
- Microsoft Security Response Center (MSRC)
- “Use ShellExecute to launch the default Web browser” (Microsoft)
- “Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat” (Adobe security bulletin APSB07-18)
- “A serious browser vulnerability, but whose?” (The Register)
- “Vulnerability in DNS Could Allow Spoofing (941672)” (Microsoft security bulletin MS07-062)
Have you been directly or indirectly affected by these vulnerabilities? Why are there so many, month after month – sloppy coding, or is it just that we notice them since Microsoft software is everywhere? Please post your comments!
Post a Comment