Microsoft highlights critical flaws with patch update

Software giant Microsoft has released a total of six security bulletins this month, with four of them residing in the 'critical' category.

The first critical update (MS07-031) involves the Windows implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TSL) internet authentication protocols. It resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows.

In the worst case, the vulnerability could allow the remote execution of code, and it is believed it could form the basis of denial-of-service attacks.

The second critical fix is a cumulative update (MS07-033) for Internet Explorer (all supported versions).

Again, all five vulnerabilities could allow remote code execution if a user visited a specially crafted web page. According to Microsoft, this update modifies IE's handling of calls, error conditions, and special features, such as Language Pack Installation and Speech Control.

Outlook Express and Windows Mail are affected by bulletin MS07-034 - a specially crafted email could exploit a critical vulnerability in Windows Vista, again allowing remote code execution.

In response, Microsoft has updated the MHTML protocol handler in Windows so that it handles URLs more securely when redirections are involved. For Windows XP, however, the vulnerability is only rated as Important or Moderate. Users are advised to check the bulletin for exact details of the affected Windows XP software.

Finally, the last critical security update (MS07-035) resolves a privately reported vulnerability in a Win32 API function.

In addition to the remote execution of code this vulnerability allows elevation of user privilege. Internet Explorer is among the apps that use this particular function and is vulnerable to attack through a suitably crafted web page.