Five updates planned for Microsoft's Patch Tuesday
Microsoft says it will be releasing five patches on September's Patch Tuesday next week. The company says it will be closing at least one critical security hole and four others categorized as "important" in its operating systems, developer tools, Messenger, and in Windows Services for UNIX.
The critical vulnerability affects Windows 2000 with Service Pack 4. Attackers can exploit this hole to inject and execute arbitrary code; as usual, Microsoft does not provide any additional details in advance. Likewise, attackers can also inject malicious code into Visual Studio .Net 2002 from Service Pack 1 up to and including version 2005 Service Pack 1, MSN Messenger 6.2 to 7.5, and Windows Live Messenger 8.0, though the vendor says that the risk here is merely "high" – apparently users still have to click somewhere for malicious code to be injected and executed.
In Microsoft Services for UNIX and the subsystems for UNIX-based applications, attackers can escalate their privileges in the system on all supported operating systems except for 64-bit Windows XP. A hole of this kind also exists in SharePoint Services 3.0 in all variants of Windows Server 2003.
The descriptions of the planned updates suggest that the still unconfirmed vulnerabilities in the handling of manipulated video data streams in MSN Messenger's web cam sessions do indeed exist, and also affect Windows Live Messenger. As on every Patch Tuesday, Microsoft is providing an updated Malicious Software Removal Tool that detects and removes a few of the most common contaminants. One can only hope that it will also remove those that may have entered the system through the holes that are yet open.
- Microsoft Security Bulletin Advance Notification for September 2007, Microsoft's announcement of the planned updates with an overview