Hello and welcome to this month’s blog on the Microsoft patch releases. November is a light month with only two releases, each addressing one vulnerability.

The first bulletin, rated as critical by Microsoft, addresses a vulnerability reported in October (BID 25945). The problem stems around how Windows handles certain malformed URLs. This issue saw a fair amount of press over the last month including a security advisory released by Microsoft.

The second vulnerability, rated as important by Microsoft, involves the Microsoft DNS Server service. An attacker may be able to exploit this issue to corrupt the DNS cache and have DNS entries point to attacker-controlled IPs.

This can then be further utilized to aid in phishing style attacks.

Microsoft’s summary of the November releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx

1. Vulnerability in Windows URL Handling Could Allow Remote Code Execution (KB943460)

CVE-2007-3896 (BID 25945)

Windows URL Handling Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 8.2/10)

This is an update to a previously disclosed vulnerability in Windows regarding URL handling. The issue is caused by how interactions are handled between Internet Explorer and Windows Shell. This issue was introduced in an updated component installed with Internet Explorer 7. Third-party applications that do not perform adequate input validation on URLs may serve as attack vectors for this vulnerability. Successfully exploiting this issue allows remote attackers to execute arbitrary commands in the context of users that follow malicious URLs.

Affects the following operating systems with Internet Explorer 7 installed: Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 & Sp2, Windows Server 2003 x64 Edition, Windows 2003 Server x64 Edition SP2, Windows Server 2003 Itanium SP1 & SP2

Note: This does not affect Windows Vista.

2. Vulnerability in DNS Could Allow Spoofing (KB941672)

CVE-2007-3898 (BID 25919)

DNS Spoofing Attack Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

This is a remote vulnerability in Windows DNS Server service that may allow an attacker to spoof responses to DNS requests. The DNS protocol includes a transaction ID that is used to correlate requests. However, the Windows DNS Server service does not provide enough entropy in the randomization process when creating that ID for use in recursive DNS queries. This may allow an attacker to spoof legitimate responses, poisoning the DNS cache, and potentially redirecting traffic to attacker-controlled locations.

Affects: Windows 2000 Server SP4, Windows Server 2003 SP1 & SP2, Windows Server 2003 x64, Windows Server 2003 x64 SP2, Windows Server 2003 Itanium SP1 & SP2

More information on this and other vulnerabilities is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.