Microsoft fixes two flaws in two patches; one is critical

Users of Windows XP, Windows Server 2000, and Windows Server 2003 are most affected by today's announcements.

Microsoft today released its November 2007 security bulletin, which includes only two updates. One is designated as Critical by the software giant and affects how Windows XP and Windows Server 2003 handle Windows URIs. The other bulletin is deemed Important and affects how Windows Server 2000 and Windows Server 2003 handle spoofing attacks. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS07-061: Critical

Entitled "Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)," this bulletin affects users of Microsoft Windows XP SP2 and x64, and Windows Server 2003 x64 and Itanium-based users, and does not affect Windows 2000 or Windows Vista. This patch addresses the vulnerability detailed in CVE-2007-3896. Microsoft says "a remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003." Successful exploitation could allow remote code execution.

MS07-062: Important

Entitled "Vulnerability in DNS Could Allow Spoofing (941672)," this bulletin affects users of Windows Server 2000 and Windows Server 2003 only and addresses the vulnerability detailed in CVE-2007-3898. According to Microsoft, a "spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations." Successful exploitation could allow an attacker to hijack from a legitimate location.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

Saving your life at speed and in style

Volvo have been responsible for some of the greatest advancements in car safety. We list off the top ways they've kept you safe today, even if you don't drive one.