News 

The first critical update (MS07-031) involves the Windows implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) Internet authentication protocols. It resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows. In the worst case, the vulnerability could allow the remote execution of code, and it is believed it could form the basis of denial-of-service attacks.

The second critical fix is a cumulative update (MS07-033) for Internet Explorer (all supported versions). Again, all five vulnerabilities could allow remote code execution if a user visited a specially crafted

ADVERTISEMENT

web page. According to Microsoft, this update modifies IE's handling of calls, error conditions, and special features, such as Language Pack Installation and Speech Control.

Outlook Express and Windows Mail are affected by bulletin MS07-034 - a specially crafted email could exploit a critical vulnerability in Windows Vista, again allowing remote code execution. In response, Microsoft has updated the MHTML protocol handler in Windows so that it handles URLs more securely when redirections are involved. For Windows XP, however, the vulnerability is only rated as Important or Moderate. Check the bulletin for exact details of the affected Windows XP software.

Finally, the last critical security update (MS07-035) resolves a privately reported vulnerability in a Win32 API function. As well as remote execution of code this vulnerability allows elevation of user privilege. Internet Explorer is among the apps that use this particular function and is vulnerable to attack through a suitably crafted Web page.

You can read the full details of the latest monthly update here.