Microsoft Security Bulletin MS07-048 – Important
Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
This important security update resolves two privately reported vulnerabilities in addition to other vulnerabilities identified during the course of the investigation. These vulnerabilities could allow an anonymous remote attacker to run code with the privileges of the logged on user. If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system. In all attack vectors, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.This is an important security update for all supported editions of Windows Vista. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by improving validation code within the Feed Headlines and Contacts Gadgets. The Inspect Your Gadget document outlines secure programming best practices that should be followed when building Gadgets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation: Microsoft recommends that customers apply the security update.
Known Issues: Microsoft Knowledge Base Article 938123 documents any currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
Please see full page and information:
http://www.microsoft.com/technet/security/bulletin/MS07-048.mspx
Source: Dana Epp’s Weblog
