May 8, 2007 1:47 PM PDT

Microsoft releases 'critical' updates for new programs

Microsoft on Tuesday released fixes for 19 security flaws in several of its products, including the new Internet Explorer 7, Office 2007 and Exchange 2007.

The company published seven security bulletins as part of its monthly patch cycle. All are tagged "critical," its highest rating. Critical vulnerabilities typically allow an attacker to gain full control of an affected system with very little, if any, action by the user.

Most of the vulnerabilities addressed by Tuesday's fixes can only be exploited after someone visits a rigged Web site or opens a malicious file, attack approaches that are increasingly popular among cybercrooks.

Microsoft's MS07-027 update fixes six flaws in Internet Explorer that could be exploited through malicious Web sites. Three Microsoft updates deal with flaws in Office applications, including Office 2007. Most of these bugs exist because of errors in the way the applications handle certain files and could be exploited through a rigged Office file.

Exchange is flawed in a way that could allow a system running the e-mail server software to be fully compromised without any special user action. There are four vulnerabilities in Exchange, including Exchange 2007, addressed by Microsoft's MS07-026 fix. The most serious bug exists in the way Exchange encodes e-mail messages.

The fact that several of the newly reported vulnerabilities critically affect Internet Explorer 7, Office 2007 and Exchange 2007, hurts Microsoft's security message, said Amol Sarwate, manager of the vulnerability research lab at Qualys. Microsoft has marketed these programs as secure, citing its security development process.

"Microsoft 2007 software, including Exchange and Office, continues to come up vulnerable, demonstrating that the security development lifecycle is not infallible," Sarwate said. Last month's Microsoft patches included a fix for a zero-day flaw in Windows that also affected Vista.

Another vulnerability that may affect many users lies in "Capicom," a component to add cryptography to applications. It is flawed in the way it handles specific data, a bug that could let an attacker commandeer a computer running the component, Microsoft said in bulletin MS07-028.

Among Microsoft's updates are fixes for a trio of zero-day vulnerabilities. This includes an expected patch for a flaw in the Windows domain name system, or DNS. The vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft warned of the problem last month and has said it was being used in "limited" attacks.

The remaining zero-day vulnerabilities for which fixes are now available are in Internet Explorer and Word, Microsoft said. The Word flaw had also been used in cyberattacks, it said.

Microsoft's fixes will be made available to Windows users via the Automatic Updates feature and are also available for download from Microsoft Update and Windows Update.

See more CNET content tagged:
Microsoft Exchange Server 2007, vulnerability, fix, Microsoft Update, Microsoft Office 2007

Add a Comment (Log in or register) 11 comments
definition
by Dalkorian May 8, 2007 3:29 PM PDT
oxymoron: an obvious contradiction of terms.
Example: Micro$loth security.

"The fact that several of the newly reported vulnerabilities
critically affect Internet Explorer 7, Office 2007 and Exchange
2007, hurts Microsoft's security message, said Amol Sarwate,
manager of the vulnerability research lab at Qualys. Microsoft
has marketed these programs as secure, citing its security
development process."

Maybe we better read over those claims again, did they actually
claim their newest junk offerings were "secure" (a rediculously
stupid claim all by itself - there is no such thing as "secure
software"!), or "the most secure version to date". M$'s security
record is so bad at this point that if they could release
something that only had a thousand major security holes it
could be called a major improvement!

But hey, if you're still drinking Bill's Kool-Aid, you're probably to
high to realize you're being taken for a ride. In that case, enjoy
your slavery!
Reply to this comment View reply
Critical Security Issues & Microsoft
by wbenton May 9, 2007 6:18 AM PDT
Critical Security Issues should be patched within 24 hours with non-critical issues being patched within 72 hours.

Microsoft released SEVEN (7) critital security patches during their regular monthly update.

If they had all been discovered the day before... nothing really needs to be read into it at all.

But we all know that several of these zero-day flaws have been out for quite some time.

But rather than act like a security concious company and offer patches for critical flaws within 24 hours... they wait long past the non-critical 72 hour mark and release critical patches on thier Patch Tuesday... only once a month!!!

They ARE NOT serious about security.

Otherwise they would have released patches within 24 hours!!!

Walt
Reply to this comment View reply
What is going on in this country?
by kathy.collins May 10, 2007 4:29 PM PDT
I find it interesting to watch the broader picture surrounding security in America. NOTHING is more important to safety than SECURITY. Why is this concept so difficult to understand and implement? We need to secure our borders ALL OF THEM......especially cyberspace. Windows needs to be SECURE
Reply to this comment
MS Patches are crashin' W2K systems
by BoB_Roberts54321 May 10, 2007 7:50 PM PDT
It would appear that the this weeks' patches are crashing W2K server and workstations. The patch installs, and after a reboot the machine will either blue screen or reboot. There are multiple people reporting this issue on the MS Newsgroups, however I have yet to find an "official" response from MS.
Let's hope they have a fix soon!!
BoB...
Reply to this comment View reply
KOOL AID I AM NOT DRINKING
by linuxcable23 May 22, 2007 8:58 AM PDT
M$$ M$$ M$$ allways talking about what they did and what they can do not allways walking the walk its like come on vista 6 years to desgin that give me a break its a fancy looking xp with a cheap security fix M$ does not care about anything but making money thats plain and simple if they really made a product that was good or secure we would not be here talking about it. futher more if your smart linux and apple have been allways making stuff better and more secure and did i mention its free cant beat it so when your done with the bill Gays Kool aid get something that really works!!!!!
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.