Just two security patches in November

Nov 14, 2007 08:09 GMT  ·  By

As Microsoft is hard at work patching Windows XP and Windows Server 2003, Windows Vista managed to get by without a single scratch. On November 13, the Redmond company made available two security bulletins addressing vulnerabilities in XP and Windows Server 2003. The updates are designed to patch two security holes rated as Critical and Important, respectively, by Microsoft, with the maximum severity flaw having been actively exploited in the wild, via publicly available proof-of-concept code.

Microsoft Security Bulletin MS07-061, rated as Critical, deals with a vulnerability in Windows URI Handling that in the eventuality of a successful attack allows for remote code execution. This issue was reported to the company in October, and it is generated by the way Windows manages malformed URLs. "A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003", Microsoft revealed.

The Redmond company has also patched a security hole in the Microsoft DNS Server service on Windows 2000 Server SP4, Windows Server 2003 SP1 & SP2, Windows Server 2003 x64, Windows Server 2003 x64 SP2, Windows Server 2003 Itanium SP1 & SP2, via Security Bulletin MS07-062. "This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations", Microsoft added.

While none of the security bulletins issued this month target Windows Vista, this does not mean that Microsoft's latest operating system will go without updating. In fact, there are no less than three non-security updates released designed to soften some of the rough edges of the operating system, a mere preview of Windows Vista SP1.