Microsoft patches URI flaw
By Miya Knights,
Microsoft's release of its November security updates last night has targeted just two Windows bugs exploited by cyber criminals.
Despite the fact the two updates are fewer than Microsoft has released in recent previous 'Patch Tuesday' releases, security experts are advising IT staff to install them as soon as possible.
The MS07-061 update patches a known flaw in the technology used to exchange data between applications, known as the Uniform Resource Identifier (URI). If users with an unprotected PC click on an infected URI link to launch an application, from with an email or instant message for instance, unauthorised hacker commands can be exploited to install malicious software onto the system.
The URI flaw is seen as a particular threat because the flaw exists in both Windows and programs, including Internet Explorer, Adobe and Firefox that can be launched by external links. The bug affects all versions of the Windows operating system, except Windows 2000 or Vista, Microsoft said.
But the patch marks an about face, as up until recently, Microsoft had said denied the flaw lay within Windows, saying it was up to third-party software providers to issue URI patches, which Mozilla did last month.
But the release late yesterday rated the update as 'critical' and a spokesperson for security vendor Qualys' vulnerability lab said it was a patching priority given its zero day characteristics and the fact that it was "being used in the wild by hackers".
MS07-062, the second vulnerability rated 'important' by Microsoft, affects Windows Domain Name System (DNS) servers used to exchange location information about computers connected to the internet.
Hackers could exploit this flaw to redirect victims to malicious websites without their knowledge, known as a 'man-in-the-middle' attacks, to ones that imitate genuine online banking sites for example. Qualys advised system administrators to "look very closely at this vulnerability," the spokesman said.
advertisement
Latest Security Features
How to be a successful online fraudster
Ever wanted to know how easy it is to be an identity thief and earn a fortune? IT PRO reveals all…
- What you need to know about ID cards
- Lessons to learn from a year of data breaches
- Q&A: DNS inventor Paul Mockapetris
- Is the password ill-equipped for the modern world?
- Why is backing up given short shrift?
- Defending Europe against cyber attack
- The present and future of IT security
- I’m an IT manager, get me out of here!
- IT around the world: Russia
Latest Security Reviews
Fortinet FortiGate-3810A
Rating: 
- Clearswift MIMEsweeper Web Appliance ENW
- NetASQ U6000 UTM appliance
- AVG Internet Security SBS Edition 8.0
- Finjan Vital Security Web Appliance NG-6000S
- LogLogic MX2010
- Exclusive: WatchGuard Firebox Core X750e
- Sophos ES4000 Security Appliance
- Microsoft Forefront Security for Exchange and SharePoint
- EXCLUSIVE: Juniper Networks SSG 550 UTM appliance
advertisement
Latest News Videos in Security
Video: Eugene Kaspersky outlines security threats
PlayIT PRO speaks to Eugene Kaspersky, chief executive and founder of Kaspersky Lab.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?