Microsoft patches URI flaw

gallery

Microsoft's release of its November security updates last night has targeted just two Windows bugs exploited by cyber criminals.

Despite the fact the two updates are fewer than Microsoft has released in recent previous 'Patch Tuesday' releases, security experts are advising IT staff to install them as soon as possible.

The MS07-061 update patches a known flaw in the technology used to exchange data between applications, known as the Uniform Resource Identifier (URI). If users with an unprotected PC click on an infected URI link to launch an application, from with an email or instant message for instance, unauthorised hacker commands can be exploited to install malicious software onto the system.

The URI flaw is seen as a particular threat because the flaw exists in both Windows and programs, including Internet Explorer, Adobe and Firefox that can be launched by external links. The bug affects all versions of the Windows operating system, except Windows 2000 or Vista, Microsoft said.

But the patch marks an about face, as up until recently, Microsoft had said denied the flaw lay within Windows, saying it was up to third-party software providers to issue URI patches, which Mozilla did last month.

But the release late yesterday rated the update as 'critical' and a spokesperson for security vendor Qualys' vulnerability lab said it was a patching priority given its zero day characteristics and the fact that it was "being used in the wild by hackers".

MS07-062, the second vulnerability rated 'important' by Microsoft, affects Windows Domain Name System (DNS) servers used to exchange location information about computers connected to the internet.

Hackers could exploit this flaw to redirect victims to malicious websites without their knowledge, known as a 'man-in-the-middle' attacks, to ones that imitate genuine online banking sites for example. Qualys advised system administrators to "look very closely at this vulnerability," the spokesman said.

Email to a friend

Print this page