Patch Day Yields a Dozen New Fixes From Microsoft

This month’s Patch Tuesday event from Microsoft is a bit heftier than in previous months, with half of the dozen security bulletins fixing issues outside of the operating system. All of the operating system-related vulnerabilities are confined to Windows XP and Windows 2000. No security bulletins have been issued for Vista.

The trend toward non-OS vulnerabilities has been increasing in recent months thanks to a combination of Microsoft  hardening the operating system and the advent of “fuzzers,” hacker programs that automate searching for vulnerabilities, like buffer overflows. This allows less technically-savvy people to search for exploits.

“Typically attackers will focus on the low hanging fruit. The OS was a target all of these years, but with all of these service packs and patches, it has become increasingly harder to find weaknesses,” Amol Sarwate, manager of the vulnerabilities lab for security vendor Qualys told internetnews.com.

Also, some of these applications are newer and haven’t been as widely tested. Among the dirty dozen of security problems, one of the most glaring is in the Microsoft Malware Protection Engine. This single engine powers Windows Defender, Live One Care and Antigen, which guards the Exchange and Sharepoint servers.

The issue was an exploit in PDF  files. A malformed PDF with malicious code could cause a buffer overflow, and instructions hidden in the PDF could take over the machine.

“Can you imagine sending a PDF into an Exchange server and it gets scanned and you can exploit the Exchange server? It’s obviously critical,” said Jonathan Bitle, manager of the technical account management team at Qualys.

Of the six Windows-related fixes, two are labeled Critical, the most severe, and four are listed as Important. There is one Critical fix for Internet Explorer, a Critical fix for Office and Microsoft Works, and an Important fix for Microsoft Step-by-Step Interactive Training.

As part of the update, Microsoft has updated its Malicious Software Removal Tool to remove two more viruses; Win32/Stration and Win32/Mitglieder.

All of these fixes are available through Windows Update or through Automatic Updates, both of which are functions on your computer.

As is tradition, Microsoft will host a webcast on Wednesday, February, 14, 2007 at 11:00 AM PDT to discuss the fixes.