By Erika Morphy TechNewsWorld Part of the ECT News Network
09/12/07 1:46 PM PT
Microsoft's fixes are few -- and most of them are merely "important" -- in the company's latest Patch Tuesday release. Still, security experts suggest users shouldn't be tempted to relax their vigilance. "What is important to remember is that most of these patches are based on code that has been out in the wild for some time," said Secure Computing VP Paul Henry.
Microsoft (Nasdaq: MSFT) has provided "important" updates for vulnerabilities in MSN Messenger, Windows Live Messenger and Windows Services for Unix 3.0 in its monthly Patch Tuesday release. Its most important fix -- a critical vulnerability -- is in its Windows Agent animation services. This is the agent that displays animated characters for internal use, such as the Microsoft Office "talking" paper clip.
While the number of fixes is relatively small, the vulnerabilities leave enterprises open to trouble in surprising ways, Paul Henry, vice president of technology evangelism for Secured Computing, told TechNewsWorld. With the Messenger issue, for example, "the code is out there in the wild, and the flaw allows a hacker to remotely execute code at the log-in user level."
MS07-054 -- Microsoft's fix to the zero day vulnerability in MSN Messenger -- belies its "important" status, remarked Amol Sarwate, manager of the vulnerability research lab at Qualys. If left unpatched, an MSN Messenger user's machine can become compromised simply by viewing a hacker's webcam.
"The MSN vulnerability comes on the heels of several recent new media attacks using social engineering to take advantage of end users," Sarwate said, "including a Yahoo (Nasdaq: YHOO) IM (instant messaging) webcam vulnerability patched with the release in July, as well as exploits based on graphics and video applications that popped up earlier this year."
Sarbox Violation?
Indeed, the potential for exposure is so widespread and so high that some firms consider it a possible violation of the Sarbanes-Oxley Act, Henry said.
By contrast, the one critical vulnerability, MS07-051, only affects Windows 2000 Service Pack 4 (SP4) users, not those running Windows 2003, XP or Vista operating systems, according to Sarwate.
A system can be compromised if a user browses to a malicious Web site.
Also labeled "important" by Microsoft is MS07-053, a Windows services for Unix patch for users who integrate Windows with Unix -- a relatively small universe.
One-Year Wait
Of more concern is MS07-052, which affects Crystal Reports files. "Social engineering tactics can be used here if a person is used to downloading an RPT file," Henry said.
Even savvy computer users are still falling prey to these tactics, he commented, especially as hackers stay one step ahead of the vendor patch rollouts.
"We are continuously seeing the bad guys alter their strategies based on what patches have been released," Henry said.
"What is important to remember is that most of these patches are based on code that has been out in the wild for some time," he observed. Indeed, the time between a patch release and the malware code's development is increasing -- it's now close to a year.
Worm Winds Its Way Into Skype for Windows September 10, 2007
Skype is cautioning its Skype for Windows users of a worm called "W32/Ramex.A" that is spreading fast within the service's instant chat application as a link in an instant message. The message is "cleverly written and may appear to be a legitimate chat message, which may fool some users into clicking on the link," said Kurt Sauer, the company's chief security officer.
Related Stories
Skype: Patch Tuesday Led to Blackout Friday August 20, 2007
Skype said its outage last week was actually the result of a massive number of its users' machines rebooting nearly simultaneously after downloading a Microsoft Windows security patch. The peer-to-peer network saw a spike in reboots while at the same time fewer of its users' computers were online to handle the higher traffic. Additionally, a bug in Skype's self-healing capability contributed to the outage.
On Tap for Patch Tuesday: Three Critical Updates July 09, 2007
Microsoft will issue six security updates on Tuesday for vulnerabilities in Office, Windows and the .Net framework for running and building and applications. Three are labeled "critical," two are called "important" and one is what the company called "moderate" in importance. Users should make sure they are set to receive the updates as soon as possible, suggested Shane Coursen of Kaspersky Lab.
Microsoft Fends Off Zombies, Worms and Bugs With Patch Tuesday May 09, 2007
There were seven advisories labeled "critical" included in Microsoft's latest Patch Tuesday. This month's offerings make it clear that, despite Microsoft's best effort to create software that's bulletproof out of the box, doing so is a very difficult task. As usual, the repairs will be made available through Windows Automatic Updates.
Related News Alerts
More by Erika Morphy
Cisco Adds New Technologies to Collaboration Tool Chest November 09, 2009
Cisco has launched new collaboration tools designed to make it easier for businesses to work closely with their partners without creating security risks. They also provide a receptive platform for the increased use of video and social media in the enterprise. Cisco introduced three new network devices to support the collaboration tools.
Windows 7 Flies Off the Shelves November 06, 2009
Early sales figures on Windows 7 boxed software suggest a high level of consumer enthusiasm for the OS. Unit sales were a whopping 234 percent higher than Vista's out of the gate. The revenue haul was not as impressive, as Microsoft offered sharp discounts to spur presales. Also, sales of PCs with Windows 7 preinstalled have been lackluster -- but October is historically a weak month for PC sales.
Southwest Doesn't Fool Around November 06, 2009
Either Southwest Airlines had better deals for my favorite route than its competitors or its superior Web site tools made it easier for me to ferret them out. Either way, kudos to Southwest. In the not-so-hot department were the airline's long list of what passengers weren't allowed to do and its very short list of what Southwest was obliged to do for them. Left me feeling a little chilly.
Headline Feeds
Talkback: 
