Microsoft Patches 17 Flaws in Client Products

Region: Corporate

Government

You are not logged in Login

The Information Resource for the Emergency Management Industry!

HOME

PAPERS

INDUSTRY NEWS

	Browse Emergency Products & Suppliers By Category

	Browse Emergency Whitepapers By Sector

	Browse Emergency Management Events By Category

Press Release

Click Here to view Press Releases

Microsoft Patches 17 Flaws in Client Products

June 14, 2007


		View Participation Packages

Server operators could breath a little easier following the latest round of patches by Microsoft yesterday, but PC administrators must still be on guard. The Patch Tuesday event for June continued the recent spate of client-side vulnerabilities with four critical patches, one important patch, and one moderate patch fixing 17 separate security problems in Microsoft's client-side products. And at least one security expert contends Microsoft attempted to conceal a major programming gaffe in Windows Vista by labeling a flaw moderate instead of giving it the critical label it deserved.

The one Microsoft patch causing a little stir is Microsoft Security Bulletin MS07-032, which fixes what Microsoft has deemed a moderate information disclosure flaw in the 32-bit and 64-bit versions of Windows Vista. This flaw, which officially is called the Permissive User Information Store ACLs Information Disclosure Vulnerability, could allow a user with limited rights and privileges to access local user information data stores, including the user names and passwords of the system administrator.

While this flaw isn't, by itself, a remote code execution vulnerability, it could easily lead to one if a hacker signed onto the system using the administrator's user name and password. That's why Eric Schultze, chief security architect for security software researcher and developer Shavlik Technologies, believes that Microsoft is trying slip one by the unsuspecting masses.

"Microsoft is trying to pull a fast one and call the vulnerability moderate when it should be critical. If nothing else, as an unprivileged user, I now have access to become an administrator on my system," Schultze says. "[The password] might not be in clear text. It might be in hash that would have to be cracked. But any user has access to the file and registry information."

Schultze, who used to work in Microsoft's security department and has seen similar password problems before, has an idea how the vulnerability came to pass. "What it means is, during the upgrade process, they were recording the user names and password and writing it into a file. And after the upgrade, they either forgot to delete or erase the file," he says. "Microsoft is probably a little embarrassed about it. So they've been kind of ambiguous in their bulletin about what it is. They don't want to come out in their bulletin, because they'd get laughed at, and make people a little nervous." Microsoft credits Robbie Sohlman with discovering the flaw.

Source

	Other News
	IBM and Red Hat Achieve Highest Security Certification for Linux on IBM Servers
	FBI Working to Bottle up 'Botnet'Hackers
	Microsoft Patches 17 Flaws in Client Products
	Websense Unveils Industry’s First Information Leak Prevention Software with Web Intelligence
	SSH Announces First End-to-End Security Solution for Securing Data across Multi-Platform U.S. Government Computing Systems Using Common Access Cards
More news

DELEGATES

16774

[ Conference Sectors Case Studies List of Papers Exhibition Sectors Vendor Presentation List of Exhibitors Industry News Sponsors All Exhibitors All Papers Sitemap Registration Links ]

:: IDS Plastics :: IDS Water ::IDS Packaging::IDS Publishing/Media ::IDS Healthcare Management ::IDS Environment::IDS Power/Energy::

Industry IDS, Inc. – Online Tradeshow, Exhibition, & Buyers Guide Solutions