Microsoft Patches Vista Flaw, 4 Others
As part of April's Patch Tuesday, Microsoft corrected an issue within Windows Vista that could allow for a variety of attack vectors, along with issuing patches for three other Windows flaws and one in Content Management Server.
The Vista related flaw resides in Windows Client/Server Run-time Subsystem (CSRSS) process, Microsoft said in an advisory. Three separate flaws are fixed by the patch, including a critical code-execution problem and two less serious denial-of-service and privledge escalation risks.
Also affected are Windows 2000, Windows XP Service Pack 2 and Windows Server 2003, as well as 64-bit versions of those products.
Two critical flaws in Microsoft's Content Management Server, used to build and maintain Web sites, have been remedied. Microsoft says that a memory corruption vulnerability, as well as a cross-site scripting and spoofing risk existed.
A code execution flaw within Universal Plug and Play has been fixed, in addition to an issue within Microsoft Agent that could execute arbitrary code when specially crafted URLs are visited.
Finally, a kernel flaw has been addressed that would allow for privilege escalation attacks, although Microsoft only gave this its second-highest risk rating, "important." According to the advisory, the flaw is exploited due to incorrect permissions being given to a mapped memory segment.
Amol Sarwate, vulnerability research lab manager at Qualys, explained that out of the five patches, the Vista patch is the most important. "This vulnerability contains a fix for a zero day vulnerability so it is the most critical of the patches," Sarwate said. "It can be attacked via the Web to allow remote code execution."
Paul Zimski, director of product and market strategy at PatchLink seemed to agree, although added the Vista fix shows that there continue to be problems with Microsoft's new operating system.
"Organizations need to take notice that although Vista is more secure, it is certainly not immune from vulnerabilities. PatchLink recommends that organizations prioritize deploying the Vista-related, 017 and 021, patches ASAP," he told BetaNews Tuesday.
Both companies recommend applying all patches as soon as possible.