Microsoft Spreads Holiday Security With 11 Fixes
Three are critical fixes involving media files and Internet Explorer.
That should wrap it up for 2007, at least regarding Microsoft and its security updates. The company on Tuesday issued its monthly update for December, which consists of seven security bulletins that fix 11 vulnerabilities.
Three of the bulletins rated as critical, the most severe fixes. The other four are rated as important and highly recommended to be patched as well.
This update follows the unusually light November release, which fixed only two flaws. What's notable in this patch is that five of the seven security bulletins affect Vista, including all three critical fixes. Vista has, up until now, not been impacted as much as Windows XP with patches.
Bulletin MS07-064, one of the critical bulletins, addresses the DirectX vulnerability. It would allow a specially crafted streaming media file to take complete control of an affected system, install programs, change or delete data, or create new accounts with full user rights. It affects DirectX versions 7.0 to 10.0.
The Windows Media File format fix, MS07-068, addresses a similar vulnerability, in that a specially crafted file in Windows Media Format Runtime could take control of a system. Both 064 and 068 are particularly impacting to someone logged in as an Administrator, while those with more restricted rights are less likely to suffer significant impact.
Paul Zimski's, senior director of market strategy at enterprise security firm Lumension Security, was particularly troubled by the video-related vulnerabilities. "This is particularly troublesome because attackers can prey on users as the weakest IT security link by posting seemingly harmless videos on YouTube, MySpace, Facebook or similar sites. If a user watches one of these infected videos, malware will execute, compromise their machine and put the entire network at risk," he said in a statement e-mailed to InternetNews.com
MS07-069 is a roll-up of four vulnerabilities in Internet Explorer, and is listed as a moderate threat for Windows Server 2003 but critical for all others. They handle remote code execution threats and also how IE frees up used memory.