Patch Tuesday was quieter than usual for Microsoft users this month, with the company issuing just four security bulletins yesterday.
Four vulnerabilities were fixed in Windows, Visual Studio and the MSN and Windows Live Messenger software, setting a 2007 record for the fewest flaws fixed in a month's scheduled updates.
Only one of the four flaws was pegged critical, Microsoft's highest threat warning, while the other three were all labelled important, a notch lower.
Two security analysts pointed at MS07-054, the update for Microsoft's instant messaging clients – MSN Messenger and the newest Windows Live Messenger – as the one to deploy first. "It's the most interesting," said Andrew Storms, director of security operations at nCircle Network Security. "It's only rated important, but it patches a known vulnerability that's been publicly known for a week."
Messenger's webcam vulnerability was first reported late last month on a Chinese-language security mailing list, and exploit code for the flaw has made its way onto the internet. Users duped into accepting a malicious webcam or video chat invitation risked losing control of their PC to the attacker.
"This is the most important one," agreed Amol Sarwate, manager of Qualys' vulnerability lab. "It falls into this new trend of new media attacks using social engineering. By 'new media,' I mean exploits inside images, inside MP3 files and, in this case, inside [a] webcam session." Rather than rely on users to open infected attachments - a practice many users now know is dangerous – new media attacks hope that users' guards are down when they receive chat invitations via IM.
But one researcher fingered a different bulletin - MS07-051 - as the one to deploy pronto. "The most critical is the Microsoft Agent vulnerability," said Tom Cross, of IBM Internet Security Systems' X-Force, noting that the vulnerability could be exploited by well-known methods. To exploit it, an attacker would need to entice users to a malicious web site. "It uses a pretty common attack vector," he said, "and fits the profile of a lot of bugs."