Jump to content

Community Zone
Recent Forum Topics
MSFN Guides
Mobile News

MSFN Recommend
AskVG.com Bink Filehorse FreewareFiles Where unprofessional journalism looks better OSNN The Windows Club WinBeta lunarsoft
MSFN Statistics

Windows News
Microsoft Releases Patch Tuesday Fixes for Windows Server and PowerPoint

Microsoft addressed two security bulletins in May’s Patch Tuesday release. Despite its small size, security experts said administrators should apply the fixes immediately as they addressed significant threats.

Microsoft fixed a critical vulnerability affecting Windows Server and an important bug in Microsoft Office PowerPoint, according to the Patch Tuesday advisory released May 10. Microsoft also assigned separate “exploitability” scores for newer versions of the software under the “improved” exploitability index ratings.

The team fixed a critical vulnerability (MS11-035) in the WINS component in Windows Server 2003 and 2008. WINS is a name resolution service that resolves names in the NetBIOS namespace and does not require authentication to use. While usually not available by default in Windows Server, it is commonly used in the enterprise for internal network servers. Administrators who have enabled WINS in Windows Server should apply the patch immediately as attackers could remotely cause a denial of service, according to Wolfgang Kandek, the CTO of Qualys.

“What might make the WINS vulnerability appealing to attackers is that it is a server-side issue,” Joshua Talbot, security intelligence manager, Symantec Security Response, told eWEEK.

Unlike other threats, attackers don’t have to trick a user into doing anything since it’s just a matter of finding a vulnerable server and feeding the machine “a malicious string of data,” according to Talbot. It is also a more serious issue on Windows Server 2003 than on 2008 because Windows Server 2008 has built-in protections such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). However, attackers can still create exploit code to get past those security features, Talbot said.

The other “important” bulletin (MS11-036) addressed a security flaw in all versions of Microsoft Office Power Point except Office 2010. The bug would allow attackers to take full control of the target machine as soon as the user opens a malicious PPT file.

Both WINS and PowerPoint vulnerabilities are fairly significant, according to Tyler Reguly, technical manager of security research and development at nCircle. File format vulnerabilities are “popular exploits” but WINS is remote code execution, so it was “difficult” to decide which was the “biggest risk today.”

View: Microsoft Security Bulletin Summary for May 2011
More @ eWeek