14 DAY TRIAL // In terms of serving security updates, Microsoft uses a strategy involving monthly releases of update bulletins. The Patch Tuesday tradition has been adopted as a natural consequence of user feedback that required the company to adopt a fixed timetable for security releases, enabling superior management of the deployment of updates. Patch Tuesday is synonymous with the date when security bulletins are made available, generally the second Tuesday of every month. This strategy is situated at the opposite pole of what Apple is doing, the Cupertino-based hardware company deploying security updates strictly as a reaction to attacks, exploits or vulnerabilities affecting its products.
On November 13, Microsoft released a couple of security bulletins impacting various versions of the Windows client and server operating systems. Microsoft Security Bulletin MS07-061, labeled with a maximum severity rating of Critical, patches a vulnerability in Windows URI Handling, which in the eventuality of a successful exploit allows for remote code execution.
"A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003", Microsoft informed in the security bulletin.
Microsoft Security Bulletin MS07-062 only received a rating of Important and is designed to plug a flaw in the DNS that exposes users to spoofing attacks. "This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. This is an important security update for all supported editions of Microsoft Windows 2000 Server and Windows Server 2003", Microsoft added. The Redmond company stressed the fact that Windows Vista is not affected by any of the two security bulletins. The updates shipped to users starting on November 13, via the Windows Update infrastructure that Microsoft has in place. At the same time, accompanying the releases, the company offers for download a DVD5 ISO image containing all the security updates for Windows launched this month (via ActiveWin).
The November 2007 Security Releases ISO Image can be downloaded from here.