Microsoft Unleashes a Slew of Critical Fixes

UPDATED: This month’s Patch Tuesday release is yielding a bumper crop of critical fixes, as Microsoft has released 15 total fixes in six bulletins, with four* of the six bulletins listed as critical.

Never to let a good opportunity go unexploited, scammers have been sending out a spam e-mail purporting to be from Microsoft, hoping to find a sucker who will click on the link in the letter. You won’t get the fixes, but you will get a Trojan, and who knows what else, installed on your computer.

The SANS Internet Storm Center first noticed a spam e-mail floating around last Thursday. The letter is an age-old trick: It purports to be from Microsoft and asks the user to click on the link to get the latest “patch.” Except there is no patch.

“It’s fairly convincing to the average eye since they spoofed the [Microsoft] address,” Fred Touchette, a research analyst for security firm AppRiver, told internetnews.com. “It appears to be coming from Microsoft. People should know Microsoft doesn’t do patches through an e-mail link; they use their Update service. But they [spammers] only need a few people to bite on it to be successful.”

One non-critical fix was for Windows Vista. The fix, listed as Important, fixes uses default permissions for unspecified “local user information data stores” in the registry and the file system. Local users might be able to obtain sensitive information, such as administrative passwords without the fix.

The fixes run the gamut from the Windows operating systems to Internet Explorer to a variety of applications.

MS07-30, for example, addresses a pair of critical vulnerabilities in Microsoft Visio 2002 and 2003, its visual design tool. The vulnerability allows remote user-assisted attackers to execute arbitrary code via a Visio file to trigger memory corruption.

Six critical fixes were made to Internet Explorer, along with some bug fixes, in MS07-33, a cumulative update for IE. Four critical fixes in a cumulative update for Outlook Express and Windows Mail were also addressed.

Two of the other bulletins, MS07-031 and MS07-035 both address Windows flaws that could allow a remote attacker to take complete control of an affected system.

As is tradition on Patch Tuesday, Microsoft has updated its Malicious Software Removal Tool to recognize the Win32/Allaple code.

Also, there will be a webcast about the fixes Wednesday, June 13, at 11:00 a.m. PDT.

*Corrects prior version to reflect four of the six fixes are critical.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web