That should wrap it up for 2007, at least regarding Microsoft and its security updates. The company on Tuesday issued its monthly update for December, which consists of seven security bulletins that fix 11 vulnerabilities.
Three of the bulletins rated as critical, the most severe fixes. The other four are rated as important and highly recommended to be patched as well.
This update follows the unusually light November release, which fixed only two flaws. What’s notable in this patch is that five of the seven security bulletins affect Vista, including all three critical fixes. Vista has, up until now, not been impacted as much as Windows XP with patches.
The critical vulnerabilities all allow for remote code execution, the most common of vulnerabilities, and fix problems in DirectX, Windows Media File Format, and Internet Explorer.
Bulletin MS07-064, one of the critical bulletins, addresses the DirectX vulnerability. It would allow a specially crafted streaming media file to take complete control of an affected system, install programs, change or delete data, or create new accounts with full user rights. It affects DirectX versions 7.0 to 10.0.
The Windows Media File format fix, MS07-068, addresses a similar vulnerability, in that a specially crafted file in Windows Media Format Runtime could take control of a system. Both –064 and –068 are particularly impacting to someone logged in as an Administrator, while those with more restricted rights are less likely to suffer significant impact.
Paul Zimski’s, senior director of market strategy at enterprise security firm Lumension Security, was particularly troubled by the video-related vulnerabilities. “This is particularly troublesome because attackers can prey on users as the weakest IT security link by posting seemingly harmless videos on YouTube, MySpace, Facebook or similar sites. If a user watches one of these infected videos, malware will execute, compromise their machine and put the entire network at risk,” he said in a statement e-mailed to InternetNews.com
MS07-069 is a roll-up of four vulnerabilities in Internet Explorer, and is listed as a moderate threat for Windows Server 2003 but critical for all others. They handle remote code execution threats and also how IE frees up used memory.
“This is concerning since it will affect the entire Internet Explorer user community. It is vital to deploy this patch as quickly as possible because it affects a larger number of users than is typical,” said Zimski.
As is tradition, Microsoft is updating its Malicious Software Removal Tool, this month it’s adding the Win32/Fotomoto family to the list. Also, Microsoft will host its monthly webcast tomorrow at 11 am PST. In addition, Microsoft now has a radio show, called TechNet Radio, which will discuss this month’s updates.