14 DAY TRIAL // Another month and Windows Vista, Microsoft's most secure Windows platform to date, is yet again at the forefront of the vulnerability trenches. Having applauded the high security performances inherent with the additional mitigations introduced by the Redmond Company into the fabric of the operating system, Microsoft only invited the "hunt" for vulnerabilities impacting the platform. Windows is traditionally one of the most targeted "items of prey", and this rule is confirmed with Vista. June 2007 brings to the table fresh new security updates from Microsoft. Three of the patches are designed to plug hole in Windows Vista.
Of course that the way to the heart of the operating system goes through the meanders of secondary attack vectors. In this context, the browser and the desktop email client have yet again failed Windows. The only problem is if the security vulnerabilities should be considered as impacting directly Windows Vista. Both Windows Mail and Internet Explorer 7 are components of the operating system shipping by default with the product, and both feature flaws rated with Microsoft's maximum severity level of Critical.
Microsoft Security Bulletins MS07-033 and MS07-034 deliver fixes for the two critical vulnerabilities in Internet Explorer 7 running on Vista, and for the operating system's Windows Mail. "Microsoft Vista Windows Mail executes any scripts or program files that have an associated folder with the same name. An attacker must entice a victim into opening a maliciously crafted link using the affected application. When the issue is triggered, the attacker-requested file runs without requiring any further actions by the user. Attackers may exploit this issue to execute local or locally-accessible files, including those on network shares," revealed Ben Greenbaum Symantec Research Manager.
On top of the critical vulnerability in IE7 on Vista, the operating system itself this time is affected by a moderate flaw. Both 32-bit and 64-bit versions of Vista can allow an attacker access to sensitive user data in the eventuality of a successful exploit. The three flaws patched in Vista are a mixture of both privately reported and public vulnerabilities.