Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on April 10, 2007 2:59 PM.

The previous post in this blog was MACS, Windows, Linux and Security.

The next post in this blog is Harvesting teenager ID's and phishing.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« MACS, Windows, Linux and Security | Main | Harvesting teenager ID's and phishing »

Vista and Office woes continue

Ryan Naraine today blogged about the continuing woes plaguing Vista and Office "MS Patch Tuesday: Vista dinged again".
Ryan says "The update — MS07-021 — is one of five bulletins released in Microsoft’s scheduled batch of patches for April. Four of the five are rated “critical,” Microsoft’s highest severity rating."

"The remote code execution flaw that dinged Vista is an error in the way the Windows Client/Server Run-time Subsystem (CSRSS) process handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution."

"In all, the MS07-021 update fixes three different CSRSS bugs, all affecting Vista. However, only one of the three is rated critical across the board. The risk from the other two are limited toprivilege escalation and denial-of-service conditions."

In a previous blog also published today "New Word 2007 flaws, exploits released" he then outlines several new attacks, as yet unconfimed by Microsoft:
"
Several new security bugs in the desktop productivity suite have been found and released to the public, including proof-of-concept Word 2007 .docs that could potentially cause code-execution attacks.

The sample .docs have been posted to several known exploit sites, including Milw0rm.com and SecurityVulns.com.

Details on the actual vulnerabilities are scarce. Most appear to be simple denial-of-service issues that cause Word 2007 to crash when the file is opened.

A third bug points to an overflow in wwlib.dll (a core Office library) that could theoretically lead to arbitrary code execution.

The fourth bug released is a heap overflow in in the Microsoft Help subsystem. Again, code execution may be possible.

Microsoft is expected to ship five security bulletins later today to cover a range of Windows flaws but several known Office vulnerabilities will remain unfixed.
"

Bottom line: There is almost NO TIME throughout the year when there isn't at least one high security threat flaw in Office and Word in particular. Be very careful with these applications. Don't click on documents attached to emails for which you are not expecting or, you might be very sorry as malware quietly downloads onto your computer.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on April 10, 2007 2:59 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/201

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)