Microsoft unveiled its first Windows Vista-only patch along with five other security bulletins in its latest monthly "Patch Tuesday" release. Although Microsoft labeled four of the six patches as "critical," one security researcher believes the flaw Microsoft labeled "moderate" should also be considered critical.The Vista-only bulletin revealed four "critical" vulnerabilities in Outlook Express and the email client in Vista, said Amol Sarwate, manager of the vulnerabilities lab at Qualys. These could allow the execution of malicious code downloaded in an email message, he said.
"We've got more of the same" from Microsoft, said Eric Schultze, the chief security architect at Shavlik Technologies. "I believe three of the six [bulletins] impact Vista, so its not immune [from flaws] -- there will always will be patches for Vista."
Microsoft's latest round of security bulletins revealed that Internet Explorer suffers from six vulnerabilities. According to Microsoft officials, all but one of IE's flaws covered in security bulletin could allow malicious code to take over a user's PC when the user visits a malicious website. Another of the vulnerabilities, which also requires user to visit malicious website, allows spoofing.
Another of the critical security advisories, impacts the Schannel Security Package, which provides Secure Socket Layer (SSL) capabilities in Windows. With this vulnerability, a user accessing a malicious website from a browser or other application while relying on SSL for a secure connection could permit the site to execute code remotely on the user’s PC.
This flaw allows the security certificate on a secure website to execute malicious code on an end-user's PC. This could be deceptive to users who "think they're at a secure website but could be at a hacker site," said Sarwate.
Microsoft, though labeling the flaw as critical, said that attempts to exploit the SSL vulnerability most likely would merely crash the browser or application. "The system would not be able to connect to Web sites or resources using SSL until a restart of the system," noted Microsoft's security bulletin.
Schultze also said that he believes that security bulletin MS07-032, which labeled "moderate" by Microsoft, "should be critical. Microsoft is trying to hide something here.
"This allows a user to obtain the username and password of the ‘admin’ account on a Vista system," he explained. "So if I'm a company employee and I have a Vista computer, I can easily figure out the ‘admin’ username and password because of the vulnerability, then use it to log onto probably any computer in company, so I consider it 'critical.'"
Both Schultze and Sarwate recommended that users patch their systems "as soon as possible."
Microsoft also released an important update (security bulletin MS07-030) for Visio. It covers two privately reporter vulnerabilities plus flaws Microsoft uncovered while investigating the reported flaws. The reported vulnerabilities could allow remote execution of code on the users PCs when they open a "specially crafted Visio file."
According to Microsoft, users whose accounts have fewer access rights are less vulnerable to the flaws than users operating with administrative rights.