recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Microsoft Plugs 15 Security Holes

Microsoft issued free software updates today to fix at least 15 separate security flaws in its Windows operating system and other software. Windows users can grab the patches by visiting Microsoft Update or by turning on Automatic Updates.

Nine of the 15 flaws earned Microsoft's "critical" rating, its most severe. Critical vulnerabilities are those that are so serious they generally don't require any action on the part of the user to exploit, aside from maybe convincing the user to visit a malicious (or hacked) Web site, or open a specially-crafted e-mail.

Most of the critical vulnerabilities fixed in June's patch batch are addressed in a security roll-up for just about every version of Microsoft's Internet Explorer Web browser, including IE7 and IE7 on Windows Vista. The problem, again, is with ActiveX controls in the browser that could allow nasty Web sites to seize total control over a user's machine or to silently install software. One of the updates fixes a security hole that criminals already know how to exploit. Microsoft reports that the blueprints for attacking this flaw were posted online.

Another patch bundle is a cumulative update for Outlook Express and Windows Mail that plugs four separate security holes in those programs.

One patch that probably deserves special attention fixes a critical flaw in a Microsoft component of a security package called the Windows Secure Channel (SChannel), which handles security certificates issued by Web sites that require "secure sockets layer" or SSL connections (think sites whose address begins with https://). This is another vulnerability that could be exploited through Internet Explorer, in this case by a malicious Web site that sends a digital signature or certificate to the user.

This is a nasty group of vulnerabilities, people. If you are using Windows, you should not delay in downloading and installing these updates.

By Brian Krebs |  June 12, 2007; 2:22 PM ET From the Bunker , Latest Warnings , Misc. , New Patches , Safety Tips
Previous: Yahoo! IM Users Should Upgrade Immediately | Next: ZoneAlarm for Windows Vista Released

Comments

Please email us to report offensive comments.



Brian,

What would the security implications be for a Windows user of changing from IE to Safari, now that Safari is a free download for Windows ?

Just curious.

Posted by: anonymous reader | June 12, 2007 2:59 PM

@anonymous reader

Safari for Windows is currently beta software, meaning it is still in a testing phase and not recommended for normal use. So, the jury is still out.

See this:
http://isc.sans.org/diary.html?storyid=2961

Posted by: Rick | June 12, 2007 3:21 PM

There are several warnings about Fake Microsoft Security Alerts on the web.
One is here:
http://www.pcworld.com/article/id,132736/article.html

Posted by: Frank C. | June 12, 2007 3:54 PM

It can never be emphasized enough,

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

By all means patch away, but one of the biggest defenses against any of these vulnerabilities being exploited is using a non-admin account at all times! It greatly reduces the system's attack surface.

Principle of least privilege
http://en.wikipedia.org/wiki/Principle_of_least_privilege

The Importance of the Limited User, Revisited - Security Fix
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

Posted by: Rick | June 12, 2007 3:58 PM

Brian,

I'm just curious as to why you referred to the security updates as "free" ('Microsoft issued free software updates today')... Microsoft security updates have always been free, and most companies security updates are free.

I'm wondering if you are aware of something that's coming in the near future that the rest of the world isn't privy to yet.

Posted by: Tyler Reguly | June 12, 2007 4:15 PM

There is an error on the main Microsoft summary page for the June updates:

http://www.microsoft.com/technet/security/bulletin/ms07-jun.mspx

There are two entries for the cumulative Internet Explorer update (MS07-033, KB 933566) listed for Windows Vista: one for the 32-bit version, and one for the 64-bit version. However, both links at the moment point to the 64-bit update. The following link will get you the 32-bit update:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9b4d2fa7-d81e-499d-93c7-f64dc53b11b2&DisplayLang=en

This has been reported to Microsoft, and to SANS.

Posted by: Rich Gibbs | June 12, 2007 4:23 PM

Correct me if I'm wrong but I believe the Vista IE issues are covered by users who are running in protected mode. Active-x controls wouldn't have any access to the system in this case. You neglected to mention that.

Posted by: Bill T | June 12, 2007 9:48 PM

I just checked the MS summary page I mentioned in my earlier comment. They have now corrected the link for the 32-bit Vista update (MS07-033).

Posted by: Rich Gibbs | June 12, 2007 11:41 PM

Bill T:

As long as protected mode is left turned on (default), yes, it should provide some mitigation against exploits.

The Microsoft security bulletin (http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx) for the IE patch rates only 2 of the 6 IE vulnerabilities as "critical" for Windows Vista. In comparison, IE7 on Windows XP rates 3 of 6 as such, and older versions of IE rate much worse (5 of 6). The exception is IE7 on Windows Server 2003 (rated moderate).

Bottom line: while this may allow more time to test the patches for Vista, it is still recommendated to patch! Sooner rather than later.

Posted by: TJ | June 12, 2007 11:48 PM

Typo: recommendated should be recommended. :)

Posted by: TJ | June 12, 2007 11:55 PM

Actually, I like recommendated much better. :-))

Posted by: Pete from Arlington | June 13, 2007 9:52 AM

@Anonymous Reader (RE: Safari)

For anyone that's interested in Safari on Windows, the Ars Technica Web site has a short, "first look" review article up:

http://arstechnica.com/news.ars/post/20070612-afirst-look-safari-3-on-windows.html

Personally, I would echo Rick's earlier caution: Safari for Windows is still beta, and on a new platform to boot. It's fine to experiment with, but I wouldn't rely on it.

Either Mozilla Firefox:
http://www.mozilla.com/en-US/firefox/
or Opera:
http://www.opera.com/
is a good choice as an alternative to Internet Explorer.

BTW, Windows users that don't use IE as their browser should still be sure to get the IE security updates. Because of the integration that Microsoft likes to go on about, there are many Windows components (including some third-party software) that use parts of IE to do things like Web access or HTML rendering. So it is possible to be running a piece of IE without realizing it.


Posted by: Rich Gibbs | June 13, 2007 11:47 AM

Rich, when I attempt to access that 32-bit IE7 update to which you provided a link, I find that I can download, but not install it, as it comes as an .msu file which no one seems to recognise. This, no matter whether I use the default US English version, or change the language to that of my IE7 installation, i e, Swedish. What's going on with Windows' updates ?...

Henri

Posted by: mhenriday | June 13, 2007 12:27 PM

@Henri,

That link is for the 32-bit version of the Vista upgrade for IE7. If you have another version of Windows,such as WinXP or Windows Server 2003, you'll need a different update, I think. (For example, the IE7 update for Win XP/SP2 is called 'IE7-WindowsXP-KB933566-x86-ENU.exe'.)

As far as I can tell, Microsoft has now fixed the broken link on the update summary page:

http://www.microsoft.com/technet/security/bulletin/ms07-jun.mspx

so you should be able to grab the update you need there.

Posted by: Rich Gibbs | June 13, 2007 4:58 PM

FYI...

Exploits posted for MS07-031 and MS07-033
- http://preview.tinyurl.com/3bpuol
June 13, 2007 (Computerworld) - "Exploits appeared within hours for two of the bugs that Microsoft Corp. fixed yesterday..."


.

Posted by: J. Warren | June 14, 2007 9:12 AM

just wonder why "the redmonds" dont update the infected systems? The software used by "cracks" is eigther from a beta-tester or a big firm. And who put it online for downloading? For sure not those cracks.
tagesclaus

Posted by: tagesclaus | June 16, 2007 12:33 PM

It seems that IE7 can no longer browse the internet after 933566 is installed, uninstall it and all works well again.

Is there a fix yet?

Others have the same issue, refer to.
http://blogs.msdn.com/ie/archive/2007/06/12/ie-june-security-update-in-now-available.aspx

Posted by: Adsa75 | June 17, 2007 10:43 PM

Google also reported anti trust complaints about microsoft. Now microsoft a great organization has to consolidate its position and become serious of avoiding all the bad remarks and once again emerge as No.1 Position in the world on all sections of I.T.

find informative articles

Posted by: ebooker | June 23, 2007 3:35 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company