Microsoft today delivered a motley assortment of patches, offering fixes for eight critical server- and client-side vulnerabilities that could lead to attackers executing remote code.The most pressing fix is MS07-021, which resolves a privilege-escalation flaw in the Microsoft Client/Server Runtime Server Subsystem (CSRSS) and affects all operating system versions, including recently released Vista.
The critical flaw contains a "web-based attack scenario," Amol Sarwate, manager of vulnerability research at Qualys, told SCMagazine.com today. Proof-of-concept code has been published, although Microsoft engineers said in December that they were not aware of public attacks.
Because the vulnerability also exists in Vista, it could signal the start of a trend where code "reused" in the new platform could invite the same vulnerabilities appearing in Windows XP and 2000, Sarwate said. Microsoft has refuted such claims.
"While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that it is our most secure platform to date," Microsoft’s Mike Reavey said in a Security Response Center blog posting in December, when the proof-of-concept was confirmed.
Microsoft also patched a critical client-side vulnerability in Microsoft Agent related to a flawed ActiveX control.
Meanwhile, today’s security update also delivered two fixes for server-side vulnerabilities that do not require user interaction. The flaws reminded researchers of the early part of the decade as they are similar to bugs responsible for the creation of the "Code Red" and "Nimda" self-propagating worms.
"If I was an evil person, I would really be excited about these security bulletins today," Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com. "I think the hackers are going to have a field day with these."
He anticipated exploit code will begin appearing in days for the server-side vulnerabilities. One of the fixes addresses memory corruption and cross-site scripting and spoofing flaws in the Content Management Server (CMS), while the other remedies a hole in Universal Plug and Play.
Sarwate, though, said the CMS vulnerability is not that serious because many enterprises have transitioned to SharePoint for their content management services.
Recent patch releases from Microsoft mostly have contained remedies for client-side vulnerabilities, which better lend themselves to identity theft and the creation of botnets.
A fifth patch, rated important, corrects a flaw in the Windows Kernel that could allow privilege escalation.