Click here to receive your FREE subscription to Campus Technology

Home > Microsoft Releases 6 Critical Patches

News

Microsoft Releases 6 Critical Patches

2/14/2008

By Jabulani Leffall

"These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited since it's obvious they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected e-mail attachments or following Web links from unknown sources," said Ben Greenbaum, senior research manager for Symantec Security Response.

Meanwhile, the fifth critical bulletin affects Microsoft Office Publisher versions 2000 to 2003 and Office XP SP3. The patch resolves two privately reported vulnerabilities in Office Publisher that could allow remote code execution through a specially crafted Publisher file. One such example is an e-mail newsletter than an end user probably shouldn't be opening in the first place.

The last critical issue affects the whole Office suite of applications, most specifically Office 2000 SP3. Office XP SP3, Office 2003 SP2 and Office 2004 for Mac are all noted as "important" in regard to this patch.

While the critical issues will certainly keep a technologist's hands full, there are also five so-called "important" bulletins in this month's rollout.

The first one resolves a privately reported hole that can be exploited during ramp-up of Active Directory on Windows 2000 Server, Windows Server 2003 and Active Directory Application Mode, particularly when installed on Windows XP Professional and Windows Server 2003. This is a denial of service exploit where a hacker simply shuts administrators out of the systems, creating outages, work stoppages and other interruptions. On Windows Server 2003 and XP, however, the hacker would need inside information like local log-on credentials.

The second fix addresses Transmission Control and Internet Protocol processing, more commonly known as TCP/IP. It's a privately reported vulnerability where hackers could force automatic restarts on a looped basis.

The third and fourth important patches affect Windows Internet Information Services (IIS) and are poised to stop elevation of privilege and RCE exploits respectively. In the first case, the attacker would most likely need to have local credentials. Meanwhile, the second one is remote and deals with ASP Web page inputs where an attacker could take control of the IIS server by way of the Worker Process Identity program, which is preset with network admin account privilege defaults--candy for a hacker.

The third patch affects every OS and Windows Server version with the exception of Vista SP1 and the new Windows Server 2008, while the fourth covers XP professional SP2 including the 64-bit editions and all Windows Server 2003 editions.

Security admins should give these two a close look, according to observers.

"The two important patches for IIS warrant attention because Web servers are prime targets compared to an endpoint, and this is definitely not something that you want to be vulnerable," said Lumension's Zimski.

The last of the bunch is an RCE bug unleashed via specially crafted Microsoft Works or .WPS files with an affected version of Office, Microsoft Works or Microsoft Works Suite. The bulletin synopsis says the bug it fixes is more common on Office 2003 SP2 and SP3, as well as Microsoft Works 8.0 and Microsoft Works Suite 2005.



Recommended Reading
  • Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs

    Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.

  • Thompson Rivers U Deploys Unified Digital Campus for ERP

    Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.

  • DV Kitchen Web Video Publishing System Released

    DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.

  • NEC Debuts 4 Education Projectors

    NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.

  • Security Researchers Uncover Spring Framework Vulnerability

    Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.

  • 3PAR Server Arrays Integrate Fat-to-Thin Processing

    Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.

Related Articles

send e-mail link to articleEmail this article

print this articlePrintable Format