E-Commerce News: Security: Microsoft Stitches Up Desktop Flaws

Microsoft Stitches Up Desktop Flaws

By Erika Morphy
TechNewsWorld
Part of the ECT News Network
08/15/07 12:22 PM PT

Microsoft's latest security fixes focus on problems identified in several popular desktop applications, including Excel, the widely used spreadsheet tool in Microsoft Office. Most of the flaws are subject to remote exploitation when users view a specially crafted Web page.

Verio MPS Solutions
Verio managed server solutions deliver the power and flexibility of a dedicated server at a fraction of the price. Learn more about how Verio gives you increased control, scalability, uptime, and performance.

Microsoft (Nasdaq: MSFT) has fixed six critical and three important desktop application vulnerabilities in this month's Patch Tuesday release.

Patches for flaws that directly affect desktop application users have been showing up more frequently in Patch Tuesday releases over the last eight to ten months, noted Amol Sarwate, manager of the vulnerability research lab at Qualys.

"Three or four years ago, the vulnerabilities were mainly found in file or e-mail servers, for instance," he told TechNewsWorld. This shift in security focus -- or the increase in this type of vulnerability -- is very apparent in this release, he added, a reflection perhaps of the growing number of attacks targeting Web-based and next-generation media applications.

The August patch, which addresses 14 vulnerabilities in all, is also notable for its size, Sarwate continued. For the year to date, this month's release is the largest since February.

From Critical to Important

Most of the flaws are subject to remote exploitation when users view a specially crafted Web page. Indeed, the practice of setting up such Web pages or embedding malicious code in legitimate ones has surged over the past month or so.

The most critical vulnerability in the latest patch is in Microsoft XML (extensible markup language) core services. There are also flaws in Excel, OLE (object linking and embedding) automation, Internet Explorer, the graphics rendering engine and VML (vector markup language) implementation -- all of which can be hacked through remote code execution.

Flaws in Windows Media Player and Windows gadgets can also be hacked remotely. Finally, a vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or on another guest operating system.

"It is a pretty broad range of products that are affected in this release," Sarwate commented. In his view, the most important patch is MS07-046: It fixes the Microsoft graphics rendering engine in the core Windows operating system. If left unpatched, users who view malformed image files will open up their systems to remote code execution.

IE and Excel

The patches that relate to Internet Explorer and Excel -- part of the Microsoft Office suite -- are also important, Sarwate said, as they are such widely used applications.

"A typical exploit scenario would be for MS Office and Explorer users to receive and open a malformed Excel spreadsheet as an e-mail attachment, or visit a Web site that hosts malformed Excel spreadsheets -- at which point the machine can be compromised and overtaken by attackers," he says in an advisory on the patch.