Server operators could breath a little easier following the latest round of patches by Microsoft yesterday, but PC administrators must still be on guard. The Patch Tuesday event for June continued the recent spate of client-side vulnerabilities with four critical patches, one important patch, and one moderate patch fixing 17 separate security problems in Microsoft's client-side products. And at least one security expert contends Microsoft attempted to conceal a major programming gaffe in Windows Vista by labeling a flaw moderate instead of giving it the critical label it deserved.
The one Microsoft patch causing a little stir is Microsoft Security Bulletin MS07-032, which fixes what Microsoft has deemed a moderate information disclosure flaw in the 32-bit and 64-bit versions of Windows Vista. This flaw, which officially is called the Permissive User Information Store ACLs Information Disclosure Vulnerability, could allow a user with limited rights and privileges to access local user information data stores, including the user names and passwords of the system administrator.
While this flaw isn't, by itself, a remote code execution vulnerability, it could easily lead to one if a hacker signed onto the system using the administrator's user name and password. That's why Eric Schultze, chief security architect for security software researcher and developer Shavlik Technologies, believes that Microsoft is trying slip one by the unsuspecting masses.
"Microsoft is trying to pull a fast one and call the vulnerability moderate when it should be critical. If nothing else, as an unprivileged user, I now have access to become an administrator on my system," Schultze says. "[The password] might not be in clear text. It might be in hash that would have to be cracked. But any user has access to the file and registry information."
Schultze, who used to work in Microsoft's security department and has seen similar password problems before, has an idea how the vulnerability came to pass. "What it means is, during the upgrade process, they were recording the user names and password and writing it into a file. And after the upgrade, they either forgot to delete or erase the file," he says. "Microsoft is probably a little embarrassed about it. So they've been kind of ambiguous in their bulletin about what it is. They don't want to come out in their bulletin, because they'd get laughed at, and make people a little nervous." Microsoft credits Robbie Sohlman with discovering the flaw.