Microsoft Patch Tuesday has three on critical list

Microsoft Tuesday released two critical patches for Windows and one for Internet Explorer that is being actively exploited, according to Microsoft.

The releases were part of the company’s monthly Patch Tuesday.

Critical patch MS07-069 affects versions 5.01, 6.0 and 7.0 of Internet Explorer, including 7.0 in Vista, and could allow remote code execution when a user views a Web page. Microsoft said hackers are already exploiting this vulnerability.

“This is ‘view an evil Web page and get hacked,’ the code executes without the user having to do anything,”says Eric Schultze, CTO of Shavlik Technologies. Schultz says the Web page looks like it may provide streaming media but in the background it is installing back doors, trojans and other malicious software.

Microsoft said that users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The other two critical patches for Windows -- MS07-064 and MS07-068 -- would allow a hacker to remotely execute code on the compromised PC. MS07-064, which addresses vulnerabilities in Microsoft DirectX, would allow the hacker to install programs; view, change, or delete data; and create new accounts with full user rights. In all, Microsoft released seven patches, the three critical ones and four rated important, that address a total of 11 vulnerabilities.

The patch that was conspicuously absent was one for the Web Proxy Autodiscovery Protocol (WPAD) vulnerability, which exploits an eight-year-old flaw in Windows that as brought to light again last month.

The flaw lets hackers exploit a proxy configuration service and hijack a user’s Web traffic.

Schultze said the critical flaws in the December patch cycle were typical of past critically rated flaws and contained nothing out of the ordinary.

Schultze added that MS07-063 was interesting because it exploits new security code that debuted in Vista. The vulnerability is in Server Message Block Version 2 (SMBv2), which is a packet signing technology that allows two Vista machines to securely talk to one another. The packet signing is to ensure that the system is only receiving packets from an authorized participant in the conversation.

The vulnerability allows the attack to spoof packets in order to remotely execute code.

The vulnerability is tough to exploit, according to Schultze, and he adds that is likely why it is rated important rather than critical.

The SMBv2 feature is turned off by default in the operating system so a user who deliberately turns it on to enhance security is actually making their system less secure.

“This is a brand-new feature built for Vista, it is new code, and it has a big flaw that was not caught in Microsoft’s security-vetting process,” Schultz says.

The other important patches are MS07-065, which could allow an attacker to remotely code execute in implementations on Microsoft Windows 2000, or elevation of privilege in implementations on Windows XP; MS07-066, which exploits a vulnerability in the Windows kernel and could allow an attacker to take complete control of a Windows system, including installing programs; viewing, changing or deleting data; or creating new accounts that have full privileges; and MS07-067, which addresses a vulnerability associated with the Macrovision driver when exploited could give a hacker complete control of the system.