Windows 7 critical holes fixed in record Patch Tuesday

[DKT27]

Windows 7 critical holes fixed in record Patch Tuesday

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.

Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.

The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.

Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.

Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.

The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if user viewed a malicious image file using affected software or browsed a malicious Web page.

"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.

Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.

The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.

Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one affecting Windows Media Runtime and that involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.

Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.

Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel and Local Security Authority Subsystem Service.

The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.

Affected software includes Windows 7, Windows 2000, Windows XP, Windows Vista, Server 2003 and 2008, Office XP, Office 2003 and 2007 Microsoft Office System, SQL Server 2000 and 2005, Silverlight, Visual Studio .Net 2003, Visual Studio 2005 and 2008, Visual FoxPro 8.0 and 9.0, Microsoft Report Viewer 2005 and 2008, Forefront Client Security 1.0, and Office software including Visio, Project, Word Viewer and Works.

The installation also removes the Win/FakeScanti Trojan that claim to scan a system for malware and claim to find it in order to get money from computer users.

Source

[Tucker]

Good to know. Thanks, DKT27! ^_^

[DKT27]

Well I received about 25 updates on my XP. :huh:

[manpe]

5 updates yesterday, 1 update today :) Cool...

But why doesn't my computer notify me about updates? I mean I had to check for new updates manually.. And I can't find an option where to set it automatic.

[DKT27]

Control Panel > Automatic Updates? :huh: . There would be many settings there.

[manpe]

Control Panel > Automatic Updates? :huh: . There would be many settings there.

You don't even use 7 :D Anyway, I checked now for it to check updates but not download and install. Let's see if it will notify me.

[DKT27]

:lol:

Well same settings exists in XP so I thought........

I have also selected the same in Automatic Updates. I don't want it to download without askin me. :angry: