Windows Zero-Day Flaw Gets A Fix
Microsoft on Tuesday issued five security bulletins with fixes for eight flaws, including a “critical” zero-day vulnerability in Windows that also affects Vista. Four of the security bulletins released as part of Microsoft’s monthly patch cycle address problems in Windows. Three are tagged “critical,” Microsoft’s highest severity rating, while the other is pegged “important,” a notch lower.
The most serious rating is for bugs that could cause a computer to be fully compromised with little, if any, user action. Among the Windows patches is a fix for a zero-day vulnerability first disclosed in December. Security experts had initially deemed the flaw less serious, stating it could be exploited only by someone with access to a vulnerable computer.
The flaw lies in an essential Windows component called the Client/Server Run-time Subsystem and critically affects all current Windows releases, Microsoft said in security bulletin MS07-021. “If a user viewed a specially crafted Web site, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company said. The MS07-021 update is the only patch released Tuesday that affects Vista.
All of Tuesday’s Windows fixes apply to its predecessor, Windows XP. This includes a critical hole in the Microsoft Agent, a help tool that succeeded the famous Clippy Office assistant. The Microsoft Agent flaw also affects Windows 2000 and Windows Server 2003. The Microsoft Agent is flawed in the way it handles certain specifically crafted Web links.
Tags:Microsoft, Windows, windows vista, windows xp
