Slow Patch Tuesday Should Not Be Dismissed
It may have only one critical fix, but it's critical for a reason.
Microsoft's monthly patch cycle is about as slow as the company can get while still having a Patch Tuesday. It released two, count 'em, two fixes Tuesday, one rated Critical, the most severe kind of fix, and one rated as Important, considered the least severe.
The one Critical fix, MS07-061, addresses a publicly reported vulnerability involving how the Windows shell handles specifically crafted URIs (define) that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code.
Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7, but the vulnerability also exists in a Windows library file, so all versions of Windows are affected by it. This fix will require a reboot.
Security experts urged administrators to install the 061 patch right away.
"This is a light Patch Tuesday with only one critical Microsoft OS vulnerability, a critical remote code execution that needs to be patched," said Don Leatham, director of solutions and strategy for Lumension Security, in a statement to InternetNews.com.
Leatham said administrators should look into other problems, as several application vulnerabilities have come to light in recent weeks. These include remote code execution holes in QuickTime, a vulnerability in Macrovision's Flexnet product and remote code execution holes in Adobe Acrobat.
Sarwate noted that Microsoft released an out-of-band advisory stating that a patch would be available shortly for the Macrovision vulnerability and that it was "very surprising" that a fix was omitted, although Macrovision has issued its own patch.
Amol Sarwate, manager of the vulnerability research lab at Qualys, also addressed the broader impact beyond Microsoft in an emailed statement. "Given that URI translation can be done at the operating system shell or the application level, its notable that other vendors, including Adobe and Mozilla, released patches in the past weeks to address this issue," noted Sarwate. "Having said that, application vendors will benefit from Microsofts operating system ability to sanitize at the shell level."