Microsoft Marks Light Patch Tuesday With Two Security UpdatesMicrosoft Marks Light Patch Tuesday With Two Security Updates

Microsoft on Tuesday released two security bulletins, one rated "critical" and the other rated "important."

Microsoft Security Bulletin MS07-061 describes a publicly reported flaw in the way the Windows shell handles Uniform Resource Identifier (URI) strings. An attacker exploiting this vulnerability could execute arbitrary code on the affected system.

Microsoft first acknowledged this vulnerability on October 10. It has been publicly known at least since July when security firm Secunia published a security advisory on the flaw.

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said that it's a light month for patches but welcomed the URI fix. "A very critical patch was released," he said. "This patch addresses a security issue that's being actively exploited on the Internet. So it's important to get this patched immediately."

Microsoft Security Bulletin MS07-062 describes a vulnerability in Windows DNS Servers that could allow an attacker to spoof DNS requests and thereby redirect Internet traffic from legitimate sites.

The affected Microsoft operating systems include certain versions of Windows XP and Windows Server 2003. The spoofing vulnerability also affects Windows 2000 Server Service Pack 4.

In an e-mailed statement, Ben Greenbaum, senior research manager at Symantec Security Response said, ""We find the DNS spoofing issue to be of interest as well because it could allow, for example, attackers to send victims to a phishing site without the use of a phishing e-mail as bait."

However, Schultze said that for most of the world, this is a non-issue. "If you're a DNS administrator then it should be your top priority to get this patch installed," he said, even if the associated attack is beyond the means of the typical script kiddie.

Microsoft also re-released Microsoft Security Bulletin MS07-049 to address problems some people were having with the installer.

Finally, Microsoft said that a patch addressing a flaw in a Macrovision driver was available at the vendor's site. "As your probably also aware we recently released Security Advisory 944653 regarding a vulnerability in secdrv.sys, a SafeDisc driver, which is made by Macrovision and shipped in certain versions of Microsoft Windows," the company said on the Microsoft Security Response Center blog. "Macrovision has also released an Advisory and posted a manual patch to update the system driver, secdrv.sys, on Window XP and Windows Server 2003 systems, which is available at [Macrovision's site]. It's important to note that Microsoft Windows Vista is not affected by this vulnerability."

"I would not be shocked to see Microsoft release the patch later this month as an out-of-band release," Schultze said.

Despite the light patch-related workload this month, Schultze warned against complacency. "Consider it the calm before the storm," he said. "We don't know when the storm is coming but there's sure to be one."