Microsoft releases four "critical" security updates

gallery

Microsoft has released four "critical" security updates to fix vulnerabilities in Windows and its Content Management Server software.

As reported by IT PRO, Microsoft has already rolled out an out-of-cycle emergency patch to fix a bug hackers could exploit in Windows' animated cursor handling process.

One patch fixes a privilege escalation vulnerability in the Microsoft Client/Server Runtime Server Subsystem (CSRSS) and affects all operating system versions, including Vista.

Another flaw in the Microsoft Agent URL Parsing Vulnerability could allow an attacker run arbitrary code as the currently logged in user.

"If the user is logged in as administrator, the result could be complete system compromise," said David McKinney at IT security company Symantec. "Therefore, Symantec recommends that tasks such as surfing the web be performed as a non-administrative user."

Another vulnerability in Universal Plug and Play could allow remote code execution. This memory corruption vulnerability is related to how HTTP requests to UPnP services are andled. Attacks using this vulnerability would have to originate from the same subnet as the vulnerable computer, according to Microsoft.

A memory corruption vulnerability in Microsoft's Content Management Server product could allow hackers to run remote code in the context of the IIS webserver. Microsoft considers this to be less of a threat for servers hosting Content Management Server with IIS 6.0 because the IIS service runs with the limited privileges of the Network Service account.

Another patch, rated "important", fixes a flaw in the Windows kernel that could also allow privilege escalation attacks by hackers.

As usual the scheduled update included the latest version of the Windows Malicious Software Removal Tool. There were also several on-security related fixes including refinements to Windows Mail in the way it identifies junk e-mail and grammar updates for some foreign-language versions of Vista.

Experts said that with the early release of one patch Microsoft is listening to its customers and responding to them rather than sticking to its own agenda.

"Clearly, the out-of-band patch is the worst of the bunch and should take priority over the others," said Alan Bentley, Managing Director of PatchLink. "When Microsoft feels a patch is important enough to release outside of the normal schedule, it should be taken very seriously."

He added that since all five critical patches are for remote code execution, which is often a vehicle for botnets and other targeted attacks, "it is essential that organisations remediate these vulnerabilities quickly."

Bentley said that IT administrators need to be aware of patches that are being released from other vendors.

"Just deploying Microsoft patches is not enough, organisations need to ensure every IT asset is inventoried, patched and compliant with applicable policy in order to best protect their network."

Email to a friend

Print this page