Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Microsoft Issues Five Security Updates
Microsoft Issues Five Security Updates
Microsoft Issues Five Security Updates
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
One week after issuing the out-of-cycle ANI cursor flaw patch, Microsoft released five additional security updates to fix eight vulnerabilities as part of its monthly Patch Tuesday cycle. Redmond also corrected problems that last week's emergency patch caused customers.

Three of the security updates to the Windows operating system were rated critical. Hackers could use the vulnerabilities to install malicious code on a victim's PC. The fourth flaw addresses a vulnerability in Microsoft's Content Management Server software.

Davis Marcus, a security research and communications manager for McAfee Avert Labs, said the Microsoft Content Management Server vulnerability and the Windows Client/Server Runtime Subsystem (CSRSS) vulnerability are of particular concern.

"Both of these can result in remote code execution on affected systems," Marcus explained in a statement. "Combined with the popularity of browser or Web-based attack vectors, these vulnerabilities can be particularly dangerous. Consumers and enterprises should take these vulnerabilities very seriously and employ a risk-based management approach to make sure they are properly protected."

ANI Once Again?

The critical ANI cursor flaw patch, which fixed a problem in the way Windows handled animated cursor files, was added to April's Patch Tuesday mix.

According to Microsoft's security blog, last week's patch caused problems with some third-party applications, including TUGZip, a free file-archiving utility and CD-Tag, a program that turns CDs into digital audio files. But some security researchers believe the ANI issue is far from over.

"While Microsoft fixed the ANI vulnerability last week, a new Vista vulnerability has emerged and was addressed, leading experts to believe that this is the beginning of the weaknesses that we will see this year with Vista and that Microsoft's reuse of code from previous versions of Windows can weaken Microsoft's new Security Development Lifecycle," said Amol Sarwate, manager of the vulnerability research lab at Qualys.

Changing Landscape

Meanwhile, update MS07-021 addresses the CSRSS vulnerability, which could allow a hacker to take complete control of a system if a victim views a specially crafted Web site. The problem lies in the CSRSS process because of the way it handles error messages. Although this vulnerability is listed for Vista, nCircle points out that it also affects all previous Windows platforms.

The CSRSS vulnerability is another data point in the changing security landscape, according to Minoo Hamilton, a senior security researcher for nCircle, a network security firm with clients including Visa, Fujitsu, and U.S. Cellular.

"Vulnerability trends have shifted toward those that require human interaction in response to Microsoft's gradual tightening down on remote code execution," Hamilton noted. "Attacks that leverage social engineering techniques are difficult to defend against because the human element is always an unknown variable."

The impact of the CSRSS vulnerability on I.T. managers will be significant, according to nCircle, because the vulnerability affects everything and will therefore be harder to manage. However, Hamilton said, the most interesting thing about MS07-021 is that "we have a [common vulnerabilities and exposures alert] on Dec. 21, 2006 and a Microsoft Security Response Center blog posting on Dec. 22, 2006 on this same vulnerability well in advance of Vista's release in January 2007."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.