realforce

Gamer Book

水曜日, 5月 09, 2007

MS、Windows DNSなどの脆弱性に対応--5月度パッチリリース

日本語ソース

Microsoftは米国時間5月8日、同社の新ブラウザ「Internet Explorer 7」や「Office 2007」「Exchange 2007」を含む製品に存在する、19件のセキュリティ脆弱性を修正した。

同社は月例パッチリリースの一環として、7件のセキュリティ情報を発表している。いずれの情報も、最も深刻度の高い「緊急」レベルのもの。緊急レベルの脆弱性は、ユーザー側の作業をほとんど、あるいはまったく必要としないで、対象となるシステムを完全に支配するのに悪用可能な場合が多い。

パッチが8日にリリースされた脆弱性の大半は、ユーザーに悪質なウェブサイトを閲覧させたり、悪質なファイルを開かせたりするだけで悪用でき、こうした攻撃を仕掛けるサイバー犯罪者は増加しつつある。

今回のアップデートに含まれる「MS07-027」は、悪質なウェブサイトを通して悪用されるおそれのある、Internet Explorerの6件の脆弱性を修正する。またほかの3件のアップデートは、Office 2007をはじめとしたOfficeアプリケーションの脆弱性に対処する。これらのバグのほとんどは、Officeアプリケーションが特定のファイルを扱う方法に不具合があることから生じており、悪質なOfficeファイルを用いて悪用される可能性がある。

Exchangeの脆弱性を悪用すると、ユーザーに特別な操作をさせなくても、電子メールサーバソフトウェアが稼働するシステムを完全に支配できるようになる。Exchange 2007を含む同製品シリーズには4件の脆弱性があり、Microsoftはセキュリティアップデート「MS07-026」でこれらを修復した。中でも危険性が高いのは、Exchangeが電子メールメッセージを暗号化する方法に存在するバグだという。

Internet Explorer 7、Office 2007、Exchange 2007に深刻な影響を与える複数の脆弱性が新たに公表されたことで、Microsoftのセキュリティに関するメッセージに傷がついたと、Qualysの脆弱性研究所マネージャーであるAmol Sarwate氏は指摘している。Microsoftは同社のセキュリティ開発プロセスに言及し、これらの製品の安全性を強調してきていた。

Sarwate氏は、「ExchangeおよびOfficeを筆頭とするMicrosoft 2007ソフトウェアをめぐっては、今後も脆弱性の発見が相次ぎ、同社のセキュリティ開発ライフサイクルが完全ではないことが表面化するだろう」と述べる。Microsoftは4月のパッチリリースで、「Vista」にも影響をおよぼすWindowsのゼロデイ脆弱性用パッチを含むセキュリティアップデートを提供した。

そのほかにも、多くのユーザーが影響を受けると考えられる問題として、アプリケーションに暗号化機能を追加するコンポーネント「Capicom」の脆弱性がある。Microsoftのセキュリティ情報「MS07-028」によれば、これは同コンポーネントが特定のデータを処理する方法に関係する不具合で、攻撃者に悪用されると、同コンポーネントが動作するコンピュータが乗っ取られるおそれがあるという。

今回のアップデートの中には、3件のゼロデイ脆弱性を修復するものが含まれている。このうち1件のアップデートは、Windows Domain Name System(DNS)の脆弱性を修復するもので、以前からリリースが待たれていた。同脆弱性は「Windows 2000 Server」および「Windows Server 2003」に影響をおよぼす。Microsoftは2007年4月、同脆弱性が「限定的な」攻撃に悪用されていると警告していた。

Microsoftによれば、修復パッチが提供されたその他のゼロデイ脆弱性はInternet ExplorerおよびWordに存在しており、Wordのバグはサイバー攻撃に用いられているという。

日本語ソースから英文へ翻訳

Microsoft American time May 8th, new browser “Internet of the same company Explorer 7” and “Office 2007” exists in the product which includes “Exchange 2007”, security vulnerability of 19 cases was corrected.

The same company has announced the security information of 7 cases as a part of monthly patch release. Each information, the degree of seriousness is highest, those “of urgent” level. As for vulnerability of urgent level, almost, or completely as not needing the job of user side, although the system which becomes the object is controlled completely when it is abuse possible is many.

The cyber offender where the patch as for the vulnerability large portion which release is done, makes the vicious web sight the user peruse on the 8th, just opens the vicious file be able to abuse, sets up such attack is increasing.

It is included in the latest update, as for “MS07-027”, there is a possibility of being abused through the vicious web sight, vulnerability of 6 cases of Internet Explorer is corrected. In addition update of other 3 cases copes with the vulnerability of the Office application which begins Office 2007. The majority of these bugs has occurred from the fact that it is trouble in the method Office application handling the file of specification, there is a possibility of being abused making use of the vicious Office file.

When the vulnerability of Exchange is abused, it cannot point to special operation to the user and also the [te], reaches the point where the system which the E-mail server software works can be controlled completely. There was a vulnerability of 4 cases in the same product series which includes Exchange 2007, Microsoft with security update “MS07-026” restored these. Even among them as for danger being high, you say that it is the bug which exists in the method Exchange encoding E-mail message.

When Internet Explorer 7, Office 2007, by the fact that the plural vulnerabilities which produce serious effect on Exchange 2007 are published anew, the damage occurred to the message regarding the security of Microsoft, Amol Sarwate it is the vulnerability laboratory manager of Qualys points out. Microsoft referred the security development process of the same company, had emphasized the product safety these.

As for Sarwate, “in the future discovery of vulnerability follows one another centering on the Microsoft 2007 software which designates Exchange and Office as the head, the fact that security development life cycle of the same company is not complete probably will be comes to the surface”, that expresses. Microsoft with April patch release, to also offered the security update which includes the patch for zero day vulnerability of Windows which exerts influence “Vista”.

Even in addition, there is a vulnerability of the component “Capicom” which adds encoding performance to application as the problem which is thought that many users receive influence. According to the security information “MS07-028” of Microsoft, as for this when with the trouble which is related to the method the same component processing the data of specification, it is abused in the attack person, you say that there is a possibility the computer where the same component operates being taken over.

During the latest update, those which restore zero day vulnerability of 3 cases are included. As for update of 1 case among these, Windows Domain Name System (DNS) being something which restores vulnerability, release waited from the time before. The same vulnerability on exerts influence “Windows 2000 Server” and “Windows Server 2003”. Microsoft warned when 2007 April, the same vulnerability “limitation” is abused in attack.

According to Microsoft, the other zero day vulnerabilities where the restoration patch was offered exist in Internet, Explorer and Word as for the bug of Word say that it is used for Cyber attack.

英文ソース

Microsoft on Tuesday released fixes for 19 security flaws in several of its products, including the new Internet Explorer 7, Office 2007 and Exchange 2007.

The company published seven security bulletins as part of its monthly patch cycle. All are tagged "critical," its highest rating. Critical vulnerabilities typically allow an attacker to gain full control of an affected system with very little, if any, action by the user.

Most of the vulnerabilities addressed by Tuesday's fixes can only be exploited after someone visits a rigged Web site or opens a malicious file, attack approaches that are increasingly popular among cybercrooks.

Microsoft's MS07-027 update fixes six flaws in Internet Explorer that could be exploited through malicious Web sites. Three Microsoft updates deal with flaws in Office applications, including Office 2007. Most of these bugs exist because of errors in the way the applications handle certain files and could be exploited through a rigged Office file.

Exchange is flawed in a way that could allow a system running the e-mail server software to be fully compromised without any special user action. There are four vulnerabilities in Exchange, including Exchange 2007, addressed by Microsoft's MS07-026 fix. The most serious bug exists in the way Exchange encodes e-mail messages.

The fact that several of the newly reported vulnerabilities critically affect Internet Explorer 7, Office 2007 and Exchange 2007, hurts Microsoft's security message, said Amol Sarwate, manager of the vulnerability research lab at Qualys. Microsoft has marketed these programs as secure, citing its security development process.

"Microsoft 2007 software, including Exchange and Office, continues to come up vulnerable, demonstrating that the security development lifecycle is not infallible," Sarwate said. Last month's Microsoft patches included a fix for a zero-day flaw in Windows that also affected Vista.

Another vulnerability that may affect many users lies in "Capicom," a component to add cryptography to applications. It is flawed in the way it handles specific data, a bug that could let an attacker commandeer a computer running the component, Microsoft said in bulletin MS07-028.

Among Microsoft's updates are fixes for a trio of zero-day vulnerabilities. This includes an expected patch for a flaw in the Windows domain name system, or DNS. The vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft warned of the problem last month and has said it was being used in "limited" attacks.

The remaining zero-day vulnerabilities for which fixes are now available are in Internet Explorer and Word, Microsoft said. The Word flaw had also been used in cyberattacks, it said.

Microsoft's fixes will be made available to Windows users via the Automatic Updates feature and are also available for download from Microsoft Update and Windows Update.

ラベル:

posted by Xune @ 14:40   links to this post 0 comments

0コメント:

コメントを投稿

この記事へのリンク一覧:

リンクを作成 | バックリンクについて | バックリンク一覧

Previous Posts