May’s Patch Tuesday didn’t just mean seven critical security bulletins for admins to worry about — it also welcomed some of Redmond’s newer products, including Office 2007 and Exchange 2007, to the process. While six of the updates address remote code execution threats — the remaining is a cumulative update for IE — most are newly discovered vulnerabilities that hackers hadn’t had a chance to exploit.
This is a bad month to have Microsoft systems to maintain — the company greeted the second Tuesday of the month with the release of seven security bulletins, rating all of them as critical. Looking on the bright side, most of the critical ratings are for Windows 2000 and related Office 2000 applications. (The vulnerabilities affect newer platforms at a lower threat level.) In fact, you may spend more time determining what you need to patch than actually patching your systems.
Here’s a closer look at each update, listed in order. However, pay particular attention to MS07-029, which patches an already exploited flaw. As always, remember to check the actual security bulletins in case of updates.
Microsoft Security Bulletin MS07-023, “Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution,” addresses three vulnerabilities:
* Excel BIFF Record Vulnerability (CVE-2007-0215)
* Excel Set Font Vulnerability (CVE-2007-1203)
* Excel Filter Record Vulnerability (CVE-2007-1214)
This update affects Excel 2000 Service Pack 3, Excel 2002 SP3, Excel 2003 SP2, Excel 2003 Viewer SP2, Office 2004 for Mac, Excel 2007, and the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. It does not affect Microsoft Works Suite.
This is a critical threat for Excel 2000 SP3 only; it’s an important threat for all other affected applications. This bulletin replaces Microsoft Security Bulletin MS07-002 for all applicable versions. There had been no reports of active exploits at the time of publication.
Microsoft Security Bulletin MS07-024, “Vulnerabilities in Microsoft Word Could Allow Remote Code Execution,” addresses three vulnerabilities:
* Word Array Overflow Vulnerability (CVE-2007-0035)
* Word Document Stream Vulnerability (CVE-2007-0870)
* Word RTF Parsing Vulnerability (CVE-2007-1202)
This update affects Word 2000 SP3, Word 2002 SP3, Word 2003 SP2, Word Viewer 2003 SP2, Office 2004 for Mac, Microsoft Works Suite 2004, Works Suite 2005, and Works Suite 2006. It does not affect Word 2007.
This is a critical threat for Word 2000 SP3 only; it’s an important threat for all other affected applications. This bulletin replaces Microsoft Security Bulletin MS07-014 for several versions; check the security bulletin for more details. Malicious users are actively exploiting the Word Document Stream Vulnerability.
Microsoft Security Bulletin MS07-025, “Vulnerability in Microsoft Office Could Allow Remote Code Execution,” addresses the Drawing Object Vulnerability (CVE-2007-1747). There had been no reports of active exploits at the time of publication.
This update affects various applications — predominantly Excel, FrontPage, and Publisher — in Office 2000 SP3, Office XP SP3, Office 2003 SP2, Office 2004 for Mac, and Office 2007. Check the security bulletin for the specific applications this update does and doesn’t affect.
This is a critical threat for Office 2000 SP3; it’s an important threat for all other affected versions. This bulletin replaces Microsoft Security Bulletin MS07-015 for all applicable versions.
Microsoft Security Bulletin MS07-026, “Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution,” addresses four vulnerabilities:
* MIME Decoding Vulnerability (CVE-2007-0213)
* Outlook Web Access Script Injection Vulnerability (CVE-2007-0220)
* Malformed iCal Vulnerability (CVE-2007-0039)
* IMAP Literal Processing Vulnerability (CVE-2007-0221)
The first vulnerability presents a remote code execution threat, the second presents an information disclosure threat, and the last two are denial-of-service threats. Because of the first vulnerability, this is a critical threat for all affected platforms.
This update affects Exchange 2000 Server SP3 with the Post-SP3 Update Rollup, Exchange Server 2003 SP1, Exchange Server 2003 SP2, and Exchange Server 2007. This bulletin replaces Microsoft Security Bulletins MS06-019 and MS06-029 for all applicable versions. There had been no reports of active exploits at the time of publication.
Microsoft Security Bulletin MS07-027, “Cumulative Security Update for Internet Explorer,” addresses six remote code execution vulnerabilities:
* COM Object Instantiation Memory Corruption Vulnerability (CVE-2007-0942)
* Uninitialized Memory Corruption Vulnerability (CVE-2007-0944)
* Property Memory Corruption Vulnerability (CVE-2007-0945)
* HTML Objects Memory Corruption Vulnerability (CVE-2007-0946)
* HTML Objects Memory Corruption Vulnerability (CVE-2007-0947)
* Arbitrary File Rewrite Vulnerability (CVE-2007-2221)
This update affects pretty much every version of Internet Explorer, from IE 5.01 to IE 7. Check the security bulletin for more details — Microsoft has already updated it once.
This is a critical threat for most affected versions; it’s a moderate threat for IE 6 and IE 7 on versions of Windows Server 2003. While the COM Object Instantiation Memory Corruption Vulnerability is a previously disclosed threat, there had been no reports of active exploits at the time of publication. This bulletin replaces Microsoft Security Bulletin MS07-016 for all applicable versions.
Microsoft Security Bulletin MS07-028, “Vulnerability in CAPICOM Could Allow Remote Code Execution,” addresses the CAPICOM.Certificates Vulnerability (CVE-2007-0940). This is a newly disclosed threat, and there had been no reports of active exploits at the time of publication.
This update affects CAPICOM, Platform SDK Redistributable: CAPICOM, BizTalk Server 2004 SP1, and BizTalk Server 2004 SP2; it does not affect other versions of BizTalk Server. This is a critical threat for all affected versions.
Microsoft Security Bulletin MS07-029, “Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution,” addresses the DNS RPC Management Vulnerability (CVE-2007-1748). This is a previously disclosed threat, and there have been reports of active exploits.
This update affects Windows 2000 Server SP4 and all versions of Windows Server 2003; it does not affect Windows 2000 Professional SP4, Windows XP, or Windows Vista. This is a critical threat for all affected systems.
A lot of these patches don’t appear to be particularly urgent, but the ratings could change. Your best bet is to read the security bulletins in their entirety to determine which ones affect your organization.
There are mitigating factors and possible workarounds, but companies need to evaluate them on an individual basis. Finally, don’t forget that interaction between various workarounds could have unintended consequences.