The Windows Observer--Patch Tuesday Yields Four Patches for 10 Vulnerabilities

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 4, Number 1 -- January 10, 2007

Patch Tuesday Yields Four Patches for 10 Vulnerabilities

Published: January 10, 2007

by Alex Woodie

Microsoft's security team yesterday picked up where it left off in 2006 when it issued four patches covering 10 vulnerabilities, including three fixes for critical zero-day vulnerabilities in Windows and Office. The number of patches would have been twice as high had Microsoft not pulled four patches at the last minute, raising the likelihood of an out-of-band release of fixes by Microsoft later this month, according to a security expert.

So far, not much has changed security-wise in the new year, according to Amol Sarwate, manager of the vulnerability lab at security software company Qualys. "Two trends that started late last year are still going strong, including the increase in zero-day vulnerabilities, and second, an increase in client-side issues. All of these [patches released by Microsoft this week] are client-side issues," he says.

Most of the problems fixed yesterday--as well as the problems that Microsoft chose not to address yet--involve zero-day exploits, Sarwate says. The good news is that, while the vulnerabilities could lead to remote code execution, most of them require user interaction. That means they aren't "wormable," in that they could be used to create worms that propagate by themselves across the Internet without any input from the user, according to Sarwate.

The bad news is that there are still unpatched vulnerabilities in Windows, Office, and Visual Studio that attackers could use to launch attacks. When Microsoft sent out its patch notifications early last week, it said there would be eight patches. However, the company quickly followed up on that initial report last Thursday or Friday and said there would be only four patches.

The cancellation of the patches was likely due to quality issues, Sarwate says. "We know they have four patches they wanted to release that they did not release," he says. "It's just a matter of time before somebody researches and exploits them. I would expect an out-of-band release from Microsoft."

Here's a rundown on the patches that were released yesterday:

Microsoft Security Bulletin MS07-001 fixes a remote code execution problem, deemed "important," in the Portuguese version of Office 2003 distributed in Brazil. A data validation problem with the grammar checker in Word could allow an attacker to take complete control of an affected system if a user opened a malformed document, either through e-mail or over the Web. Microsoft says that, although this vulnerability had been publicly disclosed, it was not aware of any actual attacks using this vulnerability.
Microsoft Security Bulletin MS07-002 fixes five critical vulnerabilities in the versions of Excel that ship with Office 2000, Office XP, Office 2003, Microsoft Works Suite 2004 and 2005, and Office 2002 and Office v.X for Mac. Like the Word problem addressed with MS07-001, these series of vulnerabilities could enable an attacker to take complete control of a system if a user opened a malformed spreadsheet. Microsoft says it's not aware of any attacks utilizing the vulnerabilities closed with this patch
Microsoft Security Bulletin MS07-003 is a critical patch that fixes three vulnerabilities in all recent versions of Outlook, except the newest one that shipped with Office 2007. Without this patch, users expose themselves to remote code execution or denial of service attacks. According to Sarwate, this patch closes the most severe problems--specifically the iCal vulnerability--disclosed this Patch Tuesday. "That is the one we've seen some activity, as far as hackers attempting to use that vulnerability," he says.
Microsoft Security Bulletin MS07-004 fixes another problem discovered in the Vector Markup Language (VML) component of Windows 2000, Windows XP, and Windows Server 2003. Microsoft first addressed a problem in VML with a rare out-of-cycle patch in September, and this patch expands on the earlier patch to fix a newly discovered vulnerability relating to the Windows implementation of VML.

Microsoft isn't the only vendor that should be concerned about the security of its software. According to Sarwate, a problem with Adobe's ubiquitous PDF software has yet to be fixed, and could cause harm among both consumers and businesses. Among business software, unpatched vulnerabilities in CA's Backup Exec software could also cause problems.

For more information on the recent patches or to register for today's Web cast at 11 a.m. PST, go to www.microsoft.com/technet/security/default.mspx.

Sponsored By
MKS

You're at Bat, and It's Time for a "Change Up".
Change Up to MKS Implementer and MKS Integrity
for Application Lifecycle Management - Move to MKS NOW and SAVE!

Has the recent acquisition of your change management provider thrown you a curve ball?
Is your vendor offering you loosely coupled tools, leaving you with information gaps and a technical headache? Can your current change management solution meet your needs
today - and tomorrow?

This isn't slow pitch.

The world of software development is moving at a rapid pace and you need to be ready to meet new demands. Change management is a vital component of your business -- the foundation for compliance, for modernization, for process control and risk management. You need a vendor that can keep up with these business demands.

A winning team, less risk, more advantages.

Join a team that is reliable, steadfast and dedicated to delivering tangible business results to System i5 customers as well as cross-platform teams. MKS is firmly dedicated to the change management market and has a clear product roadmap. MKS's Implementer for software change management and deployment has a reputation of technical excellence with large and small customers across every industry.

Make the change up - move to MKS NOW and SAVE!

For a limited time MKS will help you make the move with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and
coverage of the application lifecycle as well as a platform to manage both System i5 and
cross-platform development.

Visit the Products section of the MKS website for more information on
Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

Download the white paper:
"Managing iSeries Development in the Application Modernization Era."

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it, request a
FREE change management process assessment by our team of experts with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or sales@mks.com
For more information, visit www.mks.com/solutions

Editor: Alex Woodie

Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Vision Solutions: Get facts on managed availability and business continuity to eliminate downtime
Wolf Computer Consulting: Reliable service and affordable rates for business computing needs
COMMON: Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California


IBM's System i Priorities for 2007 Arrow Buys Agilysys' IT Distribution Business for $485 Million Uncle Sam Pushes Energy Star Ratings for Servers As I See It: Questioning Retirement


Red Hat Unaffected By Oracle Unbreakable Linux in Fiscal Q3 OpenVZ Project Supports Virtualized Linux on Sun's Sparc T1 Chips The IT Analysts Make Their 2007 Predictions Arrow Buys Agilysys' IT Distribution Business for $485 Million


Magic Adapts iBOLT for J.D. Edwards Original Adds Some Manual Features to Testing Suite Bug Busters Debuts Record-Level Mirroring Solution GeneXus to Bring Major Changes to IDE with 'Rocha'


The IT Analysts Make Their 2007 Predictions Top Mainframe Stories From Around the Web Chats, Webinars, Seminars, Shows, and Other Happenings


Stuff I Didn't Publish This Year The System i and Office 2007 Admin Alert: More Information on Fixed Storage and WRKSYSACT


December 9, 2006: Volume 8, Number 47 December 2, 2006: Volume 8, Number 46 November 25, 2006: Volume 8, Number 45 November 18, 2006: Volume 8, Number 44 November 11, 2006: Volume 8, Number 43 November 4, 2006: Volume 8, Number 42


Latest Dispatch from the Unix Server Wars Forrester Predicts IT Spending Slowdown in 2007 Evans Data Cases Programming Language Popularity The X Factor: You Can't Steal What's Free, But You Can Pay a Lot for Something That Isn't Worth It


Four Hundred Monitor's Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:
OpenLogic MKS World Data Products Lakeview Technology Micro Focus

TABLE OF CONTENTS

Microsoft Unveils Windows Home Server

Patch Tuesday Yields Four Patches for 10 Vulnerabilities

Microsoft Refreshes 'Longhorn,' Delivers First 'Centro' Beta and 'Cougar' CTP

As I See It: Predictions and Poetry

But Wait, There's More:

Information is Useless: Survey . . . Microsoft Settles with MPO Group Over Counterfeit Disks . . . Microsoft and HP Renew Pact . . . HP Projects Over $100 Billion in Sales in Fiscal 2008 . . . IDC Expects App Server Shipments to Grow Faster Than Sales . . . Uncle Sam Pushes Energy Star Ratings for Servers . . .

The Windows Observer

BACK ISSUES