Microsoft issues more "critical" security updates

Stephen Withers
Wednesday, 11 April 2007 04:48

Your IT - Home IT

Microsoft has returned to its regular 'Patch Tuesday' schedule with four "critical" and one "important" bulletins.

The critical updates for Windows address vulnerabilities in Universal Plug and Play, Microsoft Agent, and Windows Client/Server Runtime System (CSRSS). All three issues are capable of allowing remote code execution.

The CSRSS update also protects against two other vulnerabilities, one allowing local privilege escalation, the other allowing a denial of service attack that restarts the affected system.

Even Vista - "the most secure Windows yet" according to Microsoft - is affected by the CSRSS vulnerabilities.

The remaining Windows patch covers a kernel flaw that sets incorrect permissions on a memory segment, presenting an opportunity for a local privilege escalation.

As previously disclosed, this month's final bulletin is for Microsoft Content Management Server. Two vulnerabilities - both remotely exploitable - are fixed by the update. One allows a specially crafted HTTP request to corrupt the contents of memory, allowing the execution of arbitrary code. The other allows cross-site scripting and spoofing.

The hotfix for problems with last week's patch for the animated cursor vulnerability is also being offered by Windows Update, Microsoft Update and Automatic Updates to systems that have any of the three affected applications (Realtek HD Audio control panel, ElsterFormular, TUGZip and CD-Tag).

The Outlook Junk Mail Filter and the Malicious Software Removal Tool have also been updated.