September is looking like a slow month for Microsoft bugs, as this month’s Patch Tuesday only features one critical fix for one specific version of Windows, plus three important fixes, which rank as less severe.
The only critical fix is in Microsoft Agent, which has a vulnerability that could allow for remote code execution. Agent is used in a variety of Microsoft applications that are integrated into Windows, most notably the Windows Search feature with the animated dog.
However, the fix is only for Windows 2000 Service Pack 4. All other versions of Windows are fine.
“We don’t foresee a lot of exploitation of the Windows 2000 vulnerability. Not many people will use those legacy systems to surf the Web, which would be the primary attack vector,” Dave Marcus, security research and communications manager at McAfee Avert Labs, said in a statement sent to InternetNews.com.
The other three fixes are non-Windows-related. A remote code execution vulnerability in Visual Studio is fixed, as is a hole in the Windows Services for Unix 3.0, which could allow an attacker to gain elevation of privilege. The last error is in the live cam feature in MSN Messenger and Windows Live Messenger, which could allow an attacker to take complete control of the affected system.
“The MSN Messenger and Windows Live Messenger vulnerability is also serious. However, Microsoft forces an update, so there is little chance of actually exploiting this vulnerability. Users should accept the automatic update when they connect to the Messenger service,” Marcus said.
Amol Sarwate, research manager at vulnerability management company Qualys, added that webcams have been popular targets.
“This is part of an increasing trend we have been observing in new media vulnerabilities, like the Yahoo IM webcam vulnerability in July,” he said. “An invite to use someone’s webcam looks pretty safe, but that’s not the case, as pointed out by this vulnerability.”
Along with the fixes, Microsoft updated its Malicious Software Removal Kit to recognize the Win32/Nuwar line of e-mail worms.
Microsoft will hold its regular day-after webcast on Wednesday, Sept. 12, 2007, at 11:00 AM PDT.