Get Smart about Business Spending
- Related Stories
-
Attack code raises Windows DNS zero-day risk
April 16, 2007 -
Cybercrooks exploiting new Windows DNS flaw
April 12, 2007 -
Office zero-day bugs spoil Patch Tuesday
April 10, 2007 -
Windows zero-day flaw gets a fix
April 10, 2007 -
Zero-day attack hits Word
February 15, 2007
The bulletins, part of Microsoft's monthly patch cycle, are slated to provide fixes for an undisclosed number of security vulnerabilities in Windows, Office, Exchange and BizTalk, Microsoft said on its Web site Thursday. The issue affecting BizTalk also relates to "Capicom," a developer component to add cryptography to applications.
Each of the four product families is scheduled to get at least one "critical" update, Microsoft's highest severity rating, the company said. Microsoft plans to release two bulletins related to issues in Windows and three related to Office, with one remaining for both Exchange and BizTalk, it said.
Security issues tagged as critical typically could allow an attacker to gain full control of an affected system with very little, if any, action by the user.
Microsoft's updates will include a patch for a vulnerability in the Windows domain name system, or DNS. The security vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft warned of the problem last month and has said it was being used in "limited" attacks.
Some of the planned Office patches will likely deal with vulnerabilities in the software that have been disclosed and have been waiting for fixes.
Microsoft gave no further information on the upcoming alerts, other than to state that some of the fixes may require restarting the computer or server.
Last month, Microsoft released six security bulletins. Shortly after it released the fixes, several new Office zero-day bugs and the Windows DNS bug hit. Some security watchers have come to call this phenomenon "zero-day Wednesday."
See more CNET content tagged:
Microsoft BizTalk Server, DNS, fix, flaw, security
what does this mean joris evers? more details please. poor story effort and research or you just decided not to be more specific.
If you have an issue that results in a buffer, heap, stack, etc overflow then you can craft a hack to overflow the memory region and gain access to the system pointer, at which time you can point to your own code and execute it without the end-user's consent and/or knowledge.
Sometimes things are inherently explained unless you don't have the skillset to understand them.
since you don't seem to understand IT security I recommend you start with a book called:
"Inside Internet Security / What Hackers don't want you to know" by Crume and published by Addison-Wesley.
You're either a newbie or an antagonist, either way you could have emailed him with this if you were serious.
cant say that out loud too much ,but i am starting to encourage
people that cant or wont buy a mac to look into Ubuntu ... The
flaws inside Microsoft's code are getting too much to bear for
some users that just want a computer to read emails , browse
the internet with a reasonable level of safety , what Microsoft
promised to deliver for years and certainly cant because they
dont want to reconsider the vailidity of the LEGACY code they
will probably carry for the next 10 years ... Apple delivers
systems to a public that are solid with a little know how .
Microsoft while only delivering software delivers headaches to
no end to their end users ... Time for people to call the OS what
it is.
This means Windows XP has 27% less vulnerabilities than Mac OSX. This is verifiable information. You can look it up yourself: http://nvd.nist.gov/nvd.cfm?advancedsearch
Given this, why is it that whenever Microsoft announces they are releasing patches, a bunch of on cnet people start these anti-microsoft rants? I really don't understand this at all.
problems reported there are corrected AND most of them are
3rd party as well if you look closely. True mac os X server takes
some configuring to get right . Out of the box you have some
corrections to make. A lot of the vulnerabilities listed here point
to ActiveX and Microsoft Office ... Weird you can turn active X off
you know in Office for mac. I see as well listing holds loads of
stuff on RPC no one in their right minds would use ... to be
precise it is not only deactivated by default in Mac os X but it is
highly recommanded to avoid installing it at all unless you need
to be compatible with a standard even SUN dropped the use of .
Everyone in their right minds turns off SSH except when
connecting to hosts you can trust.
You can isolate your admins from SU capabilities if you wish , all
it takes is modifying the sudoers files in /etc this is just a
misconfiguration.
Most of the attacks mentionned in the database require at least
local user or admin accounts , most of what is listed for windows
Xp does not even require such privileges , just a internet
connection.
Not to mention vulnerability database mentions vulns dating
back to 10.3 and earlier. The problem with your query was as
you mentionned it simple , not expansive. Some of what is listed
here dates back to 10.0.3. Side note there are many more
exploits in the wild for windows than there would be for mac os
X market share argument not being valid since mac os X is the
hacker's holy grail.
But i have to give you the database is a good example of how
improperly configured services can lead to vulnerabilities.
- Buzz word overload? or exploitation?
- by chrisw63 May 9, 2007 4:44 AM PDT
- It seems to me the term 'zero-day' is being a bit over used, perhaps from ignorance, but I believe its more trying to draw eyes to the story. In other words, phrase exploitation.
- Like this Reply to this comment
-
(7 Comments)The definition of 'zero-day' doesn't seem to apply to the DNS flaw in the story. Vista has been out for months now, and I seriously doubt any revamp was done to the DNS system anyway. Zero-day flaws typically have to be leaked by the developers, or a beta tester, before official release to be called 'Zero-day'. Whoever started this just wants attention.