Tiny Patch Tuesday Brings Two Fixes
Compared with previous Patch Tuesdays, November's version was quite small with Microsoft releasing only two patches for the Windows operating system: one rated critical and the other important.
The critical patch addresses an issue with how the Windows shell handles URIs. A specially crafted URI could allow an attacker to execute arbitrary code due to an error in the way it is validated.
Currently the issue has only been identified to be exploitable through Internet Explorer 7. However, the actual flaw itself is in a shell DLL, which can be found in Windows XP and Server 2003.
Security firm Qualys noted that several patches that address a similar issue within other applications shows that this is likely not limited to IE7. The company also identified Mozilla and Adobe products as being potentially vulnerable.
"Having said that, application vendors will benefit from Microsoft's operating system ability to sanitize at the shell level," Qualys lab chief Amol Sarwate told BetaNews.
The second patch repairs an 'important' flaw in how Windows handles DNS. A spoofing vulnerability exists where a specially crafted response to a DNS request could redirect legitimate traffic to sites with less than legit purposes, Microsoft said in an advisory.
In order to fix the problem, Microsoft said it increased the randomness of DNS transaction IDs. Sarwate said that DNS administrators should treat the issue as critical however. The problem affects both Windows Server 2000 and 2003.
"In summary, despite what appears to be a relatively small release, the impact to unpatched systems is significant to both end users and server administrators," he said.