SECURITY

Microsoft Patch Reflects Continuing IE Vulnerability

Print Version
E-Mail Article
Reprints

By Erika Morphy
TechNewsWorld
Part of the ECT News Network
12/13/06 10:09 AM PT

Microsoft released seven patches for several vulnerabilities, including two zero-day flaws in Windows Media Player and a hole in Visual Studio 2005. The update does not address the recent zero-day vulnerabilities in Microsoft Word, but does resolve problems found in IE Versions 5 and 6 (Service Pack 1) running on Windows 2000, Windows XP and Windows Server 2003 systems.


The Fujitsu ScanSnap Scanners - Scan to searchable PDF with the touch of one button! Scan 18 color double-sided pages per minute, from business cards to legal-length documents. Tell us how you ScanSnap. You might win a $100 American Express gift check!

Microsoft (Nasdaq: MSFT) Latest News about Microsoft has released seven patches for several of its applications, including Outlook Express and Visual Studio 2005. Two of the patches are rated "critical": a vulnerability in script error handling and a vulnerability in Windows Media Player.

The first patch addresses a number of vulnerabilities in Internet Explorer. "It is significant because we are seeing more hackers use these vulnerabilities for attacks," Oliver Friedrichs, director, Symantec (Nasdaq: SYMC) Latest News about Symantec Security Response, told TechNewsWorld. "Simply by visiting a malicious Web site, a user could conceivably become infected."

The patch release also addresses the increase in exploitation of zero-day vulnerabilities.

Client-Side Vulnerabilities

Specifically, the patch addresses a client-side code execution vulnerability caused by a memory corruption condition when handling script errors in certain circumstances, Symantec said. It exists in Internet Explorer 5 and 6 (Service Pack 1) on Windows 2000, Windows XP and Windows Server 2003 systems.

The Windows Media Player vulnerability is also an important fix; increasingly, hackers use movie files, MP3s and other media types as hiding places for malicious code, Friedrichs said.

This client-side code execution vulnerability is caused by an unchecked buffer in Windows Media Player code that handles Advanced Streaming Format (ASF) files, Symantec explained. It affects all versions of Windows Media Player: 6.4, 7.1, 9 and 10.

The larger story from this latest patch release is that client-side vulnerabilities are not going way anytime soon, according to Friedrichs. "They are very efficient and easy for hackers to exploit," he said.

Friedrichs was not surprised that Microsoft did not release a patch for the recent, high-profile vulnerabilities in Microsoft Word. "A patch at minimum would take 28 or so days to develop," he noted.

Tips for IT Managers

Symantec offers the following advice for IT shops:

  • Evaluate the possible impact of these vulnerabilities to critical systems;
  • Plan for required responses, including patch deployment and implementation of security best practices using the appropriate security solutions;
  • Take proactive steps to protect the integrity of networks and information;
  • Verify that appropriate data backup processes and safeguards are in place and effective;
  • Remind users to exercise caution in opening any unknown or unexpected e-mail attachments, or in clicking on Web links from unknown or unverified sources; and
  • Regularly run Microsoft Update and install the latest security Take the FREE Motorola AirDefense WLAN Security Assessment. Click here. updates.

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Erika Morphy   RSS

More Stories by Erika Morphy

[Search More...]
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]