Microsoft resolves four security vulnerabilities
Microsoft has only issued four updates this Patch Day despite the fact that five had been announced. In the event, the fix for its SharePoint services was not released for reasons that are still unknown. The sole critical security update resolved a vulnerability in Windows Agent for Microsoft Windows 2000 Service Pack 4. Important security updates were issued for MSN Messenger and Windows Live Messenger, Crystal Reports for Visual Studio, and Windows Services for UNIX. Microsoft apparently did not feel that the URI handling command execution vulnerability, affecting Firefox and Skype, among others, required an update at the operating system level.
The primary focus of September's Patch Tuesday is on the oldest, still maintained Windows version, which is primarily still in use in corporate environments. The vulnerabilities in Windows Agent for Windows 2000 Service Pack 4 could allow attackers to remotely execute code over the Internet with the help of specially crafted URLs. Microsoft resolved a similar vulnerability in April, but that vulnerability affected the entire Windows family.
Microsoft has also fixed a vulnerability in Version 8.1 of Windows Live Messenger and Version 7.0.0820 of MSN Messenger that could allow remote code execution. The vulnerability affects users of Windows Live Messenger 8.0 and its outdated predecessors, MSN Messenger 6.2, 7.0, and 7.5. It is assumed that the vulnerability can be exploited when a user accepts a manipulated video chat invitation from an attacker. An attacker who successfully exploited this vulnerability could take complete control of the affected system if the user is operating with administrative user rights.
The vulnerability in Crystal Reports affects Visual Studio .NET 2002 and 2003 as well as Visual Studio 2005. This vulnerability could allow remote code execution if a user opens a specially crafted RPT file, for example in an e-mail attachment.
The third important update resolves a vulnerability in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications. This vulnerability could allow an attacker to gain elevation of privilege. The vulnerability affects the UNIX services for all Windows versions since Windows 2000, including the 64-bit versions; however, by default these services are not installed.
- Microsoft Security Bulletin Summary for September 2007
- MS07-051 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)
- MS07-052 - Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522)
- MS07-053 - Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778)
- MS07-054 - Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)
- Danger for users of MSN Messenger