Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches 19 Flaws, 6 in Vista

Posted by ryuzaki0 on from the many-patches-makes-os-work dept.

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

2 of 307 comments (clear)

  1. Summary was incorrect by SEMW · · Score: 4, Informative

    Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.

    Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.

    --
    What's purple and commutes? An Abelian grape.
  2. Only One of the Vista Bugs was "Critical" by ThinkFr33ly · · Score: 4, Informative

    Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)

    In the case of the one bug that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)

    Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.

    Considering Vista has been out since November of last year, its security record so far as been extremely impressive.