E-Commerce News: Malware: Microsoft Patch Reflects Continuing IE Vulnerability

Microsoft Patch Reflects Continuing IE Vulnerability

By Erika Morphy
TechNewsWorld
Part of the ECT News Network
12/13/06 10:09 AM PT

Microsoft released seven patches for several vulnerabilities, including two zero-day flaws in Windows Media Player and a hole in Visual Studio 2005. The update does not address the recent zero-day vulnerabilities in Microsoft Word, but does resolve problems found in IE Versions 5 and 6 (Service Pack 1) running on Windows 2000, Windows XP and Windows Server 2003 systems.

Is Your Website Killing Customer Confidence?
Your Website's privacy policy can be a key factor in a customer's decision to do business with you, and it is vital to ensuring you don't run afoul of your online legal and regulatory responsibilities. Need more reasons? Read on.

Microsoft (Nasdaq: MSFT) has released seven patches for several of its applications, including Outlook Express and Visual Studio 2005. Two of the patches are rated "critical": a vulnerability in script error handling and a vulnerability in Windows Media Player.

The first patch addresses a number of vulnerabilities in Internet Explorer. "It is significant because we are seeing more hackers use these vulnerabilities for attacks," Oliver Friedrichs, director, Symantec (Nasdaq: SYMC) Security Response, told TechNewsWorld. "Simply by visiting a malicious Web site, a user could conceivably become infected."

The patch release also addresses the increase in exploitation of zero-day vulnerabilities.

Client-Side Vulnerabilities

Specifically, the patch addresses a client-side code execution vulnerability caused by a memory corruption condition when handling script errors in certain circumstances, Symantec said. It exists in Internet Explorer 5 and 6 (Service Pack 1) on Windows 2000, Windows XP and Windows Server 2003 systems.

The Windows Media Player vulnerability is also an important fix; increasingly, hackers use movie files, MP3s and other media types as hiding places for malicious code, Friedrichs said.

This client-side code execution vulnerability is caused by an unchecked buffer in Windows Media Player code that handles Advanced Streaming Format (ASF) files, Symantec explained. It affects all versions of Windows Media Player: 6.4, 7.1, 9 and 10.

The larger story from this latest patch release is that client-side vulnerabilities are not going way anytime soon, according to Friedrichs. "They are very efficient and easy for hackers to exploit," he said.

Friedrichs was not surprised that Microsoft did not release a patch for the recent, high-profile vulnerabilities in Microsoft Word. "A patch at minimum would take 28 or so days to develop," he noted.

Tips for IT Managers

Symantec offers the following advice for IT shops:

Evaluate the possible impact of these vulnerabilities to critical systems;
Plan for required responses, including patch deployment and implementation of security best practices using the appropriate security solutions;
Take proactive steps to protect the integrity of networks and information;
Verify that appropriate data backup processes and safeguards are in place and effective;
Remind users to exercise caution in opening any unknown or unexpected e-mail attachments, or in clicking on Web links from unknown or unverified sources; and
Regularly run Microsoft Update and install the latest security updates.

Next Article in Malware

New MS Word Vulnerability Targets Large Companies
December 12, 2006

Security experts warned Tuesday of a vulnerability in Microsoft Word that inspired a new hacker attack -- consisting of three copies of malware sent to high-profile executives. Though reports indicate that only large companies have been targeted, it is possible that more systems have been infected and users either do not know it or have not reported it yet.

More by Erika Morphy

Roku Channel Store Hangs Out Shingle
November 23, 2009

Roku's new channel store is based on a "one screen in the cloud" business model, said Michael Gartenberg, vice president of strategy and analysis with Interpret. "Essentially, what they are doing is taking the TV set -- whether it is a standard appliance or a high-def monster -- and enhancing it with content the consumer wants to see."

Ballmer Gives Shareholders - and Dell - Cause for Optimism
November 20, 2009

Microsoft CEO Steve Ballmer was all smiles at the company's shareholders meeting, as he touted the early success of Windows 7. Ballmer's cheer may have been contagious; after posting a massive earnings decline for the third quarter, Dell needed some good news to latch onto, and the prospect of broad enterprise adoption of Windows 7 could spur PC sales.

AA.com Sucks the Fun Out of Trip-Planning
November 20, 2009

Using AA.com to book a flight was a painful experience. Densely packed, disorganized information was displayed in an unattractive format. On the plus side, it did seem as though the deals American Airlines advertised were real and not mere bait-and-switch lures. For anyone who wants a travel-planning Web site to inject a little pleasure into the experience, though, I say look elsewhere.

[Search More...]

Microsoft	Activate Alert \| Search Archives

Symantec	Activate Alert \| Search Archives