With August comes sizzling temperatures (at least for most of us in the Northern hemisphere) and a whole slew of security updates -- nine total -- for the month, including two major or "critical" issues that affect all versions of Windows, including Vista.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The good news is that a lot of the damage that might come from those two vulnerabilities can be mitigated -- and, most importantly, they're being addressed right now with these fixes.
The first of the two issues, MS07-042, involves a security problem with Microsoft's XML Core Services, which could be exploited if someone persuaded you to visit a specifically-constructed Web page with Internet Explorer (IE). The good news is that this flaw probably wouldn't have anywhere near the impact it would have if you're running in a limited-user account -- which means Vista, by default, is that much more heavily insulated against attacks that use this method. Also, Windows Server 2003's implementation of IE runs by default in a heavily locked-down mode (the MS07-045, deals with a clutch of Internet Explorer-related security issues (yes, IE again) that affect all versions of IE from 5.01 through 7, on all versions of Windows. They involve problems with the way CSS is parsed (IE 5 and down only) and problems with two ActiveX objects used by IE. None of the IE 7 issues are rated as "critical," though. The worst of them is "important," so IE 7 users on all platforms are protected from the worst of what's going on here. Nevertheless, that doesn't mean you shouldn't get this update if you're on IE 7.
There are other items rated critical but they don't affect all platforms. A third item rated critical, MS07-046, repairs a problem with the Windows GDI stack, which could be exploited by malware. It does not affect Windows Server 2003 SP2 or Vista. However, all editions of XP and other versions of Windows Server are affected. All editions of XP and other versions of Windows Server are affected, though. Also, if you're running as a reduced user, the exploit would only be able to run a program in the context of that user and not as administrator.
MS07-043 fixes an issue with OLE automation and it has the same sort of scope as the previous problem -- it doesn't affect Vista, and if it happened in the context of a non-admin user it wouldn't be quite as damaging.
I've written before, separately, about the importance of running as a less-privileged user for day-to-day work, which, among other things, constrains the impact of security issues like these. This is a topic Microsoft consulting services guy Aaron Margosis covers regularly in his MSDN blog, which I highly recommend for more perspectives on this topic.
More on Windows Patches:
Microsoft security bulletin summary for August 2007