Region: Government      Corporate
You are not logged in    Login
IDS Emergencymanagement
  The Information Resource for the Emergency Management Industry!
Browse Emergency Products & Suppliers By Category
Browse Emergency Whitepapers By Sector
Browse Emergency Management Events By Category
Participation Options
Free Listing
Interested In Exhibiting?
Submit Events
About IDS Emergency
Submit News
Emergency Management Newsletter
News ReleaseClick Here to view News Releases
Microsoft Patches 17 Flaws in Client Products
June 14, 2007
Click HereView Participation Packages
Click Here
Add paper
   




   

Server operators could breath a little easier following the latest round of patches by Microsoft yesterday, but PC administrators must still be on guard. The Patch Tuesday event for June continued the recent spate of client-side vulnerabilities with four critical patches, one important patch, and one moderate patch fixing 17 separate security problems in Microsoft's client-side products. And at least one security expert contends Microsoft attempted to conceal a major programming gaffe in Windows Vista by labeling a flaw moderate instead of giving it the critical label it deserved.

The one Microsoft patch causing a little stir is Microsoft Security Bulletin MS07-032, which fixes what Microsoft has deemed a moderate information disclosure flaw in the 32-bit and 64-bit versions of Windows Vista. This flaw, which officially is called the Permissive User Information Store ACLs Information Disclosure Vulnerability, could allow a user with limited rights and privileges to access local user information data stores, including the user names and passwords of the system administrator.

While this flaw isn't, by itself, a remote code execution vulnerability, it could easily lead to one if a hacker signed onto the system using the administrator's user name and password. That's why Eric Schultze, chief security architect for security software researcher and developer Shavlik Technologies, believes that Microsoft is trying slip one by the unsuspecting masses.

"Microsoft is trying to pull a fast one and call the vulnerability moderate when it should be critical. If nothing else, as an unprivileged user, I now have access to become an administrator on my system," Schultze says. "[The password] might not be in clear text. It might be in hash that would have to be cracked. But any user has access to the file and registry information."

Schultze, who used to work in Microsoft's security department and has seen similar password problems before, has an idea how the vulnerability came to pass. "What it means is, during the upgrade process, they were recording the user names and password and writing it into a file. And after the upgrade, they either forgot to delete or erase the file," he says. "Microsoft is probably a little embarrassed about it. So they've been kind of ambiguous in their bulletin about what it is. They don't want to come out in their bulletin, because they'd get laughed at, and make people a little nervous." Microsoft credits Robbie Sohlman with discovering the flaw.

Source
Other News
IBM and Red Hat Achieve Highest Security Certification for Linux on IBM Servers
FBI Working to Bottle up 'Botnet'Hackers
Microsoft Patches 17 Flaws in Client Products
Websense Unveils Industry’s First Information Leak Prevention Software with Web Intelligence
SSH Announces First End-to-End Security Solution for Securing Data across Multi-Platform U.S. Government Computing Systems Using Common Access Cards
More news
 

Industry IDS, Inc.
DELEGATES
13510
Conference Sectors  Case Studies  List of Papers  Exhibition Sectors  Vendor Presentation  List of Exhibitors  Industry News  Sponsors  All Exhibitors  All Papers  Sitemap  Registration Links ]

 :: IDS Plastics :: IDS Water ::IDS Packaging::IDS Publishing/Media ::IDS Healthcare Management ::IDS Environment::IDS Power/Energy::  

Industry IDS, Inc. – Online Tradeshow, Exhibition, & Buyers Guide Solutions