On CHOW: Can girls use the guys' bathroom?
BNET Business Network:
BNET
TechRepublic
ZDNet

May 8th, 2007

Patch Tuesday: 7 bulletins, 19 flaws, all critical

Posted by Ryan Naraine @ 11:18 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Microsoft, Open source, Patch Watch, Pen testing, Responsible disclosure, Spam and Phishing, Spyware and Adware, Uncategorized, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Microsoft Office, Vulnerability, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Attack, Flaw, Ryan Naraine

It's an all-critical Patch Tuesday.

Microsoft has just released seven advisories — all rated critical — with patches for at least 18 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser.

Five Six of the 18 19 vulnerabilities affect Windows Vista.

The batch of updates includes a promised fix for the Windows DNS RPC vulnerability that was being used in zero-day attacks last month.   

There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. 

Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws.

A cumulative IE update addresses five six potentially dangerous bugs.  There are the five six that apply to IE 7 on Windows Vista.

The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.

The raw details:

MS07-023: Three vulnerabilities in Microsoft Excel that could allow code execution attacks.  This applies to Office 2000 (SP3), Office XP, Excel 2002, Office 2003 (SP2), Excel 2003 (including Viewer), 2007 Office System and Office 2004 for Mac.

MS07-024: Three vulnerabilities in Microsoft Word that puts users at risk of PC takeover attacks.  One of these bugs were being exploited in zero-day attacks so treat this one with the highest possible priority if you depend on Microsoft Word documents.

MS07-025: Covers a single bug affecting the Microsoft Office software suite.  This carries a "critical" rating but the only version vulnerable to code-execution attacks is Office 2000.  The 2007 Office system is affected but the risk is lowered to "important."

MS07-026: This apples the Microsoft Exchange and provides patches for 4 different vulnerabilities.  Affected versions include Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007.  One of the 4 flaws is rated "critical" across the board.

MS07-027: This is the Internet Explorer patch that affects IE 7 on Windows Vista. In all, this cumulative update fixes 5 six different vulnerabilities that could lead to code execution attacks.  Three of the five six bring code execution risks to Vista users.  Exploit code for one of these flaws is publicly available.

MS07-028: A vulneriblity in CAPICOM that could allow remote code execution on BizTalk Server 2004.  The flaw lies in CAPICOM.Certificates, an ActiveX control that provides scripters (VBS, ASP, ASP.NET etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.

MS07-029: This addresses the code execution hole in Windows DNS RPC Interface that was discovered during zero-day attacks last month.  This update should be treated with the highest possible priority if you are running Windows 2000 or Windows Server 2003.  Exploit code and attack information is widely available. 

* NOTE: This post was update to reflect the accurate flaw count. 

[UPDATE: May 8, 2007 @ 5:23 PM]  Microsoft offers a free DVD5 ISO image file with all the March 2007 security updates. The image does not contain security updates for other Microsoft products. This DVD5 ISO image is intended for corporate administrators who manage large multinational organizations, who need to download multiple individual language versions of each security update and who do not use an automated solution such as Windows Server Update Services (WSUS).

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 127 Talkback(s)
Whatever!!!!
Did we not read the story, SIX of the critical vunerabilities affect Vista as well. Vista is a TURD!!!... (Read the rest)
Posted by: jakenhauser Posted on: 05/31/07 You are currently: a Guest | | Terms of Use
If you needed a reason to upgrade to Vista here it is.  ye | 05/08/07
GOOD joke, ye ... like I'm gonna upgrade, to VISTA, ...  OButterball | 05/08/07
Glad to hear you're seeing the light.  ye | 05/08/07
Gawd, to be a fly on the wall ...  OButterball | 05/08/07
Speaking of...  Stuka | 05/08/07
They are safely tucked away in the woodwork .  Intellihence | 05/08/07
Strawman  ye | 05/08/07
Oh, pshaw, I don't hate MS ...  OButterball | 05/08/07
Then how do you explain your strawman?  ye | 05/08/07
Why, the same way you explain ...  OButterball | 05/08/07
What defense?  ye | 05/08/07
It should have been obvious by now, ye:  OButterball | 05/08/07
Your mom must be proud.  ye | 05/08/07
Sssh! My Mom ain't in earshot!  OButterball | 05/08/07
Hey Ye year to date , Windows has more flaws than Mac OS X .  I'm Ye, the MS SHILL . | 05/08/07
Strawman. Never said it was invincible.  ye | 05/08/07
Microsoft pencils in seven bug fixes for next/this week  Intellihence | 05/08/07
They also have more users and more software  fr0thy2. | 05/09/07
Whooo-Boy!  VonHelton | 05/08/07
Show me , where are the Mac visuses ?  Intellihence | 05/08/07
Not a very proud thing...why bother  fr0thy2. | 05/09/07
to butter head.. Sorry ye...no more reply lvls  fr0thy2. | 05/09/07
No axe ? Grinding too Much ? I'll sign up  intrepi@... | 05/08/07
10  I'm Ye, the MS SHILL . | 05/08/07
Elvis quote: "Thang yuh, thang yuh vury much!"  OButterball | 05/08/07
Whatever!!!!  jakenhauser | 05/31/07
Life is good in Land-o-Exploits  Chad_z | 05/08/07
So what do the "experts" think of this?  denniswalker@... | 05/08/07
The gauntlet is thrown...  woot! | 05/08/07
One thing said  Stuka | 05/08/07
They don't affect Vista...  ye | 05/08/07
They ARE not part of the OS  jacarter3 | 05/08/07
I'm not going to bother debating this because...  ye | 05/08/07
CHICKEN! Nyah, nyah-nyah, nyah-nyah, nyaaaaa!  OButterball | 05/08/07
If you're going to be immature then don't respond...  ye | 05/08/07
Chuckle. If YOU are going to CLAIM maturity ...  OButterball | 05/08/07
Not my logic  ye | 05/08/07
Not ANY logic, at all:  OButterball | 05/08/07
Didn't ya hear Microsoft is working on Internet Explorer 8 already .  Intellihence | 05/08/07
MS Fan? Good thing I'm a Mac user  ye | 05/08/07
A Mac user, eh? Well, can we intrepret ...  OButterball | 05/08/07
Yep, a Mac.  ye | 05/08/07
ADULT word a lot .  Intellihence | 05/08/07
Now I know that YE is full of C.R.A.P.  Intellihence | 05/08/07
Don't worry ye....  fr0thy2. | 05/09/07
Now now, didn't you know?  brendthess | 05/08/07
Question:  notsofast | 05/08/07
Well  Stuka | 05/08/07
Best reason to use a virtual machine  Confused by religion | 05/08/07
Better yet  Hrothgar - PCLinuxOS User | 05/08/07
The answer is very simple...  Linux User 147560 | 05/09/07
Linux User i could not agree with you more (NT)  SO.CAL Guy | 05/09/07
"MS has a lot of historical baggage to overcome,."  Intellihence | 05/08/07
We're all experts, didn't anyone tell you ?  intrepi@... | 05/08/07
I'll help them out:  xxn1927 | 05/25/07
The next patch....  joe.smetona@... | 05/08/07
You think you'll live to be that old ?  intrepi@... | 05/08/07
boo hoo  the_boss@... | 05/08/07
So, if I understand your comment, ...  OButterball | 05/08/07
Ok, I'll bite, where's the hook ?  intrepi@... | 05/08/07
Stability has nothing to do with Viagra...  Confused by religion | 05/08/07
Hold on there Milly !  Intellihence | 05/08/07
are you sure?  Sxooter_z | 05/15/07
to:the_boss...Shhhh don't tell the fruits this...  fr0thy2. | 05/09/07
Two thumbs down for vista  Liesha82 | 05/08/07
MS take some tips from MAC  Liesha82 | 05/08/07
Make up your minds!  ye | 05/08/07
Year to date , Microsoft has had more problems than APPLE  Intellihence | 05/08/07
Big deal...  fr0thy2. | 05/09/07
...and BTW  fr0thy2. | 05/09/07
really....???? 89 patches for 2007 for Os-X  redtrain65 | 05/10/07
LawL  xxn1927 | 05/25/07
Now in unrelated news; Apple stock tops $100 per share  Intellihence | 05/08/07
Until iPhone comes out....wonder what the hold up is...  fr0thy2. | 05/09/07
Not another one?  Liesha82 | 05/08/07
it might have taken five years but...  Liesha82 | 05/08/07
My experience with Vista has been trouble free.  ye | 05/08/07
The real problem with Vista is they had DODO birds doing the beta testing .  Intellihence | 05/08/07
Don't see an answer from you regarding the .ANI  ye | 05/08/07
You got the answer from MS in the form of a patch .  Intellihence | 05/08/07
These links have all of the ani info:  XType | 05/08/07
Heasay, vague. I want specifics  ye | 05/09/07
Vague?  XType | 05/09/07
Something like:  ye | 05/09/07
Oh My you were testing Vista...  fr0thy2. | 05/09/07
You're absolutely right  mdsmedia | 05/08/07
It's not MS's fault!!  DigitalCode | 05/08/07
Ummmm... Say what?  devlin_X | 05/10/07
It's Never Microsoft's Fault  Ole Man | 05/10/07
Vista is vindicated  NonZealot | 05/08/07
"Vista is vindicated" How so , Vista got 6 critical patches today .  Intellihence | 05/08/07
I can back my claim up , can you !  Intellihence | 05/08/07
Please stop embarrassing us Mac users!  ye | 05/08/07
Mac Drone to need nothing....  Mectron | 05/08/07
Don't get me started with your Active X C.R.A.P . either  Intellihence | 05/08/07
Microsoft pencils in seven bug fixes for next/this week  Intellihence | 05/08/07
I haven't seen 49 patches on my Vista system  ye | 05/08/07
A windows fanboy busted, yet again.  Rick_K | 05/08/07
I was going to question the authenticity of Ye's laptop but  Intellihence | 05/08/07
LOL! Nice Try. That's a genuine output  ye | 05/09/07
Ye the windows fanboy wrote  Rick_K | 05/09/07
Did you stop to think that something might have changed...  ye | 05/09/07
One more thing: Will you be honest enough to admit your mistake?  ye | 05/09/07
Wait a second...  Rick_K | 05/08/07
they all lie Microsoft apple both are out for your money  SO.CAL Guy | 05/08/07
"Microsoft senior vice president Bob Muglia...  msalzberg | 05/08/07
What a load of BS .  I'm Ye, the MS SHILL . | 05/09/07
No pretending about it. Mac user at home.  ye | 05/09/07
I sure hope you're not talking to me like that.  Rick_K | 05/09/07
Rick is your name Beyond the vista , a Leopard is stalking IE Leopard Boy  SO.CAL Guy | 05/09/07
Ooopps Too Late - Mac users are you all like this goof? God help you.  fr0thy2. | 05/09/07
Wrongo........  magpie_z | 05/10/07
That was one of the most backward,  Kid Icarus-21097050858087920245213802267493 | 05/08/07
What I look forward to every month  Kevin Dean | 05/09/07
Why...  ben162005@... | 05/09/07
Exactly  epcraig | 05/09/07
People advocate alternatives due to their safety.  ye | 05/09/07
so why Vista?  ruped24 | 05/09/07
Basics!  Mitch 74 | 05/09/07
How did you determine the fragmentation and...  ye | 05/09/07
Why does it matter???  devlin_X | 05/10/07
You didn't answer the question. I'll repeat it:  ye | 05/10/07
And the big deal is what?  mluck | 05/09/07
ABSURD,ALMOST EXTORTION  BALTHOR | 05/09/07
Conspiracy theory  Windy-1 | 05/09/07
Unionize the nanobots!!  adakelly2@... | 05/10/07
Uprade failure  MR_DE_01@... | 05/10/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here