Archive for the ‘Vista’ Category

Microsoft issues critical Windows patches

Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.

The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. “We’ve seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected.”

In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.

Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. “Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately,” Greenbaum said. “We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5.”

There are already some attacks being seen based on that flaw.

“While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution,” Microsoft said.

Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.

As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions–the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.

“Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators,” Qualys CTO Wolfgang Kandek said in an e-mail.

Source :

http://news.cnet.com/8301-13860_3-10346665-56.html?part=rss&subj=news&tag=2547-1_3-0-20

Windows 7, Vista zero-day flaw reported

A security researcher has said there is a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or “blue screen of death,” according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

“SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality,” wrote Gaffie in a blog post Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Computer security publication “The H” wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Microsoft had not responded to a request for comment at the time of writing.

Source :

http://news.cnet.com/8301-1009_3-10346664-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Olivia’s Tweets
Search
Archives
Subscribe

I will be compensated if you use my link.