Tuesday, November 13, 2007

November 2007 Microsoft Security Bulletin Release

Microsoft has issued two security bulletins for November, 2007. Further information regarding the bulletins is available at the MSRC Blog, linked below. Please also refer to the TechNet link for complete details on the Security Bulletins. Only a brief description is provided herein.

As a reminder, Microsoft never sends any type of updates by E-mail. Never click on hyperlinks provided in an E-mail purported to be from Microsoft.

MS07-061-- Critcal, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
  • This update resolves a publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows shell handles specifically crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003
MS07-062 -- Important, Vulnerability in DNS Could Allow Spoofing (941672)

  • This important security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

Microsoft also re-released the following bulletin:

  • This update addresses a vulnerability in Virtual PC and Virtual Server and could allow elevation of privilege. This is a change to the installer code only, to address some limited installation problems that we have seen. There’s no change to the update binaries, so if you have already successfully installed this update, you do not need to reinstall it. Please refer to the bulletin revision notes for more detail.
Also updated for all users today is the Windows Malicious Software Removal Tool.

As indicated in the Windows Vista Team Blog, non-security updates for Windows Vista were also released via Windows Update. As Nick White indicated,
"These and similar updates will be wrapped into SP1 for those of you considering installing them in one fell swoop."
Why wait for SP1 when you can obtain the updates as they are available?
Further information is avalable at the above-linked topic and in the KB articles described as:
  • An update on system compatibility, reliability and stability: extends the battery life for mobile devices, improves stability of wireless network services, and shortens recovery time after Windows Vista experiences a period of inactivity, among other fixes.
  • An update to USB core components: mainly affects systems returning from sleep or hibernation, fixing problems causing 1-2% of all crashes reported.
  • An update to Windows Media Center: among other things, affects interaction issues occurring between Media Center PC and Microsoft Xbox 360 when Xbox 360 is used as a Media Center Extender.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: