Critical Vista, Ie 7 Patches Highlight Ms Security Updates

Critical Vista, IE 7 patches highlight MS security updates!

This month’s batch of patches from Microsoft includes six bulletins covering at least 15 vulnerabilities, including several critical code execution holes in Windows Vista and Internet Explorer 7.

In all, Redmond pushed out four critical bulletins with fixes for flaws that could put Windows users at risk of complete PC takeover attacks.

The most serious is a cumulative Internet Explorer update (MS07-033) that affects all versions of the dominant browser — IE 5.01 on Windows 2000 through IE 7 on Windows Vista.

The mega IE update addresses a total of six flaws, including one that was publicly discussed prior to Patch Tuesday. Interestingly, all six IE bugs are rated “critical” across the board, except for some versions of Windows Server 2003.

(NOTE: Click on image at right for step-by-step instructions on some key configuration changes you can make to run/use IE securely)

Another high-priority update to pay special attention to is MS07-035, which touches a “critical” vulnerability in the way that the Win32 API validates parameters. This bug does not affect Windows Vista.

Microsoft provides a dire warning:

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Vista is also immune to MS07-031, a “critical” bulletin that covers a flaw in the Secure Channel (Schannel) security package in Windows. “This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using an Internet Web browser or used an application that makes use of SSL/TLS,” according to the bulletin. Affected software includes Windows 2000, Windows XP and Windows Server 2003.

However, the built-in Windows Mail client in Vista didn’t escape unscathed. The MS07-034 update contains fixes for four vulnerabilities (two publicly discussed before today) that could lead to code execution attacks. This update also affects Outlook Express.

source: blogs.zdnet.com