Microsoft patches URI bug, ancient DNS flaw
No sign of DRM fix as company plugs protocol handler vulnerability it finally acknowledged
Microsoft Corp. today released two security bulletins that fixed a pair of flaws in Windows, including a vulnerability that had been the root of a monthslong debate over patching responsibility.
One of the updates was rated critical, Microsoft's highest threat ranking, while the other was pegged as important, the next-lowest notch in the company's four-step scoring system.
MS07-061 patched the Uniform Resource Identifier (URI) protocol handler bug in Windows XP and Windows Server 2003 that Microsoft admitted was its job to fix only after months of denying that a vulnerability existed in its software. In a security advisory posted Oct. 11, Microsoft owned up to the flaw.
The vulnerability has been exploited in the wild for weeks, most recently by a wave of attacks using rigged PDF files.
Although only PCs running XP or Server 2003 that were also equipped with IE 7 have been shown to be at risk, Microsoft pushed the patch to all users of those operating systems, no matter which browser they had installed. "Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6," the security bulletin said, "[but] as a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed."
Andrew Storms, director of security operations at nCircle Inc., applauded the proactive move. "Microsoft's saying that even though it's unable to exploit [the URI protocol handler bug] for IE 6, the bug still exists, and someone else may come along and figure out an exploit," he said.
According to Eric Schultze, the chief technology officer of Shavlik Technologies LLC, Microsoft is simply following protocol. "They're giving the patch regardless of the SKU of XP or Server 2003, because they can't deliver it as an IE patch," he said. The flawed component, the "shell32.dll" file, is part of Windows, not Internet Explorer.
But although the fix should put an end to URI protocol handler exploits which rely on IE -- or, as Storms put it, "at least until the next attacks" -- other applications that register buggy handlers will still have to patch their own code. Microsoft's security experts, including Mark Miller, the director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the operations manager for the group, made that clear in an interview a month ago.
The other bulletin issued today, dubbed MS07-062, patches a DNS cache poisoning vulnerability in Windows 2000 SP4, and Windows Server 2003 SP1 and SP2.
"This is a classic, a nostalgic man-in-the-middle kind of vulnerability," said Storms, who also knocked Microsoft for taking so long to fix the flaw. "This is something that other DNS [Domain Name System] vendors, like BIND, have known about and fixed years ago." Storms, in fact, was quickly able to dig up reports of the DNS vulnerability from as far back as 2002.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts