Establishing Digital Trust: Don't Sacrifice Security for Convenience
Never to let a good opportunity go unexploited, scammers have been sending out a spam e-mail purporting to be from Microsoft, hoping to find a sucker who will click on the link in the letter. You won't get the fixes, but you will get a Trojan, and who knows what else, installed on your computer.
The SANS Internet Storm Center first noticed a spam e-mail floating around last Thursday. The letter is an age-old trick: It purports to be from Microsoft and asks the user to click on the link to get the latest "patch." Except there is no patch.
"It's fairly convincing to the average eye since they spoofed the [Microsoft] address," Fred Touchette, a research analyst for security firm AppRiver, told internetnews.com. "It appears to be coming from Microsoft. People should know Microsoft doesn't do patches through an e-mail link; they use their Update service. But they [spammers] only need a few people to bite on it to be successful."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iOne non-critical fix was for Windows Vista. The fix, listed as Important, fixes uses default permissions for unspecified "local user information data stores" in the registry and the file system. Local users might be able to obtain sensitive information, such as administrative passwords without the fix.
The fixes run the gamut from the Windows operating systems to Internet Explorer to a variety of applications.
MS07-30, for example, addresses a pair of critical vulnerabilities in Microsoft Visio 2002 and 2003, its visual design tool. The vulnerability allows remote user-assisted attackers to execute arbitrary code via a Visio file to trigger memory corruption.
Six critical fixes were made to Internet Explorer, along with some bug fixes, in MS07-33, a cumulative update for IE. Four critical fixes in a cumulative update for Outlook Express and Windows Mail were also addressed.