By Sharon Gaudin
July 10, 2007
In its monthly Patch Tuesday release, Microsoft issued six security
bulletins, patching 11 vulnerabilities -- eight of them critical.
Security researchers are warning IT managers to obviously patch all of
the bugs being fixed today, but to quickly turn their attention to two
vulnerabilities in Active Directory implementations in Windows 2000
Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability
research lab at Qualys Inc., called this the most important of the 11
bugs that Microsoft is patching this month.
"If you are managing servers, this is the most critical because a hacker
can crash your machine or anonymously run programs or steal information
from your Active Directory," said Sarwate.
The Active Directory issue was discovered by IBM X-Force Researcher Neel
Mehta, who also created proof-of-concept exploit code for it. The flaw
was reported to Microsoft a year ago this month.
"Active Directory is the corner stone of the Windows network. The Active
Directory server is used to manage things like user accounts on your
domain. If a bad guy had that, he could add or delete accounts," said
Tom Cross, an IBM Internet Security Systems X-Force researcher, in an
interview. Another IBM researcher, David Dewey noted that if a hacker
adds himself to the directory as an administrator, he could do anything
he wants to the network.
Because the two vulnerabilities are in such a key part of Microsoft's
software, both Cross and Dewey said they're glad Microsoft took so much
time to work on the patch.
"This one carries quite a few complexities that led it down quite the
development path," said Dewey in an interview. "We were in lock step
with them during the entire path. As it turns out, it brought to light
other coding issues that needed to be corrected. Active Directory is the
corner stone of the Microsoft enterprise network. Anytime someone pokes
a hole in that, they need to make sure the fix they put in place is
thorough and correct. This is extraordinarily critical and they handled
it appropriately, in my opinion."
Sarwate also noted that a critical bug in Microsoft Excel, as well as
critical bug in the .Net framework also are worthy of immediate
With the Excel flaw, if a user opens a malicious Excel attachment, code
can be executed on her computer. It's a buffer overflow vulnerability
that causes remote code execution.
The .Net framework is an environment for building and running
applications, including Web services. The bug that Microsoft patched in
the .Net framework also can be used to execute code remotely and
Three of the vulnerabilities being fixed this month don't rate
Microsoft's highest risk rating of critical. But Symantec's researchers
noted that one "moderate" vulnerability that's being patched lies in the
Windows Vista firewall. Symantec discovered the bug this past February.
This vulnerability exposes network services which should only be
accessible from the local area network to the Internet, reported
Symantec in an e-mail to InformationWeek. By tunneling traffic over the
Teredo protocol, an attacker can access network services, which would
otherwise have been blocked from the Internet. Even though it's
classified as an "information disclosure vulnerability," if the flaw was
combined with a vulnerability in one of the exposed services, this
vulnerability could have widespread implications.
"As this month's patch release demonstrates, Microsoft's decision to
rewrite the Windows network stack and its accompanying firewall
continues to have long-term security implications," said Oliver
Friedrichs, director of emerging technologies at Symantec Security
Response. "A network stack can take decades of heavy scrutiny in order
to become battle hardened. As an operating system's first line of
defense, its quality is directly related to its ability to withstand
Last month, Microsoft issued six security bulletins that patched 15
vulnerabilities. The June batch of vulnerability fixes affected 12
critical bugs. In May, Microsoft released seven security bulletins,
patching 19 bugs. All seven of those advisories were rated critical.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com