iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Microsoft Slips In A Seventh Patch
Search:
[ insider_reports_insider ]

Microsoft Slips In A Seventh Patch



David Utter
Staff Writer
2006-12-13

SecurityProNews: Insider Reports Insider Reports RSS Feed


The company had announced six security bulletins would be released with its monthly patch cycle, but a seventh addressing a flaw in Windows Media Player entered the group at the last minute.

Microsoft Slips In A Seventh Patch
Microsoft Slips In A Seventh Patch

If anyone recalls a time when Microsoft has tossed in a late patch as they just did with the December updates, congratulate yourself on having a great memory and remind me never to play Trivial Pursuit with you.

A problem with Windows Media format emerged in late November, and to make things worse it arrived as a zero-day exploit. Security firm eEye said that although it had been reported as a denial of service issue, it turned out to be an exploitable heap buffer overflow condition.

In a note on their Zero-Day Tracker site, eEye said the Windows Media Player library WMVCORE.DLL contains a potentially exploitable heap buffer overflow in its handling of "REF HREF" URLs within ASX files.

"As a result, a two- or four-byte heap overflow is possible if the "REF HREF" URL features a protocol shorter than three characters (the length of "mms")," their report said. "Single-letter protocols (such as "a://") are rejected, but this restriction can be circumvented by encoding the protocol ("%61://"), thereby making a four-byte overflow possible."

Microsoft's patch for the problem came out as a last minute addition to the bundle of fixes they released. One of those fixes corrected a critical problem with Visual Studio that could have permitted remote code execution.

The third critical bulletin addressed problems in Internet Explorer versions 5 and 6; IE 7 was not affected by the issues. A total of four vulnerabilities, two of them rated as critical, received patches with the patch.

Four other bulletins contained fixes for issues in Outlook Express and some Windows services. Outlook Express had a vulnerability related to its address book contact records, which when exploited could have permitted remote code execution on the targeted system.

As expected, Microsoft did not have fixes for a pair of Word vulnerabilities that emerged in early December as zero-day exploits being subjected to limited attacks. It appears likely these will not be repaired until January's patch release happens, at the earliest.

---
Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Get all the updates -




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds