The Windows Observer--Microsoft Issues a Dozen Security Patches, Fixes Security Tools

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 4, Number 6 -- February 14, 2007

Microsoft Issues a Dozen Security Patches, Fixes Security Tools

Published: February 14, 2007

by Alex Woodie

It's that time again--time to get your patches on, and to do so quickly. Microsoft yesterday hosted the biggest Patch Tuesday event of the young year when it posted 12 security fixes for 20 security flaws in its products. Seven of the patches addressed zero-day flaws that have been used to launch attacks across the Internet in recent weeks, and there was even a patch fixing Microsoft's security tools, which could have automatically triggered the exploit with no interaction from the user.

We'll start with the six critical patches. Microsoft Security Bulletin MS07-008 fixes the critical HTML Help ActiveX Control vulnerability that could enable a hacker to take total control over a computer running Windows 2000 Service Pack 4 (SP4), all 32-bit and 64-bit versions of Windows XP and XP SP2, and all versions of Windows Server 2003. Microsoft says this was a newly disclosed, privately reported vulnerability, and that it's not aware of any current Web attacks exploiting the flaw, which Microsoft credits Breakingpoint Systems with helping to track down.

Microsoft Security Bulletin MS07-009 fixes the critical and previously disclosed Windows MDAC ActiveX Vulnerability. This is a potentially nasty remote-execution vulnerability that affects select products, including Windows 2000 SP4, Windows XP SP2, Windows Server 2003, and the Itanium version of Windows Server 2003 (but not Windows Server 2003 SP1 or any of the X64 versions of Windows). The French Security Incident Response Team first spotted the flaw, Microsoft says.

The software giant surprised everybody with Microsoft Security Bulletin MS07-010, which fixes security problems in a slew of its security offerings, including Windows Live OneCare, Antigen for Exchange and Antigen for SMTP Gateway, various Windows Defender releases, and Forefront Security for Exchange Server and SharePoint. Microsoft says the problem has to do with the way these products pass PDF documents. The flaw was privately reported to Microsoft by IBM's ISS-X-Force security group.

You could say that Big Blue's X-men helped Microsoft dodge a serious bullet with MS07-010. According to security software developer Qualys, this vulnerability was potentially disastrous for Microsoft. "As scanning engines, these applications could automatically activate the exploit with no user interaction required," says Amol Sarwate, manager of the vulnerability research lab at Qualys. Also, because these scanning engines work with Windows Vista, they could be used to exploit Vista machines, even though Microsoft has not yet issued any patches for the young operating system.

Microsoft Security Bulletin MS07-014 is a biggie. This megapatch fixes six vulnerabilities in all recent versions of Office Word (except for Office 2007), including Office for Mac. Four of the problems fixed with this patch are zero-day flaws currently being exploited across the Internet. Microsoft credited several groups with helping to find and fix the problems, including Information and Communication Security Technology Center, the United Services Automobile Association, and AV-Test.

Microsoft Security Bulletin MS07-015 tackles a pair of related security flaws freshly discovered in recent versions of Excel and PowerPoint (except for Office 2007 and the versions included in Microsoft Works). While only one of these flaws (the Excel Malformed Record Vulnerability) is currently being exploited, both flaws could be exploited by a hacker to take complete control of an affected system. Microsoft credits VigiliantMinds with helping to spot the PowerPoint problems.

The final critical patch, Microsoft Security Bulletin MS07-016, is a cumulative update for Internet Explorer versions 5, 6, and 7, running on all recent versions of Windows, except Windows Vista. The patch fixes three new problems related to running ActiveX controls and using FTP, and carry the risk of remote code execution. One of the problems had been publicly described, but none of them had been used to launch attacks on the Web, Microsoft says. The company credited iDefense and Breakingpoint Systems with reporting the problems.

Microsoft also issued six patches it deemed important (just not as important as the critical patches fixing the most serious flaws, discussed above). Microsoft Security Bulletin MS07-005 fixes the Interactive Training Vulnerability, a newly discovered problem that poses a remote code execution for Windows 2000 SP4 and all 32-bit and 64-bit versions of Windows XP (including SP2) and Windows Server 2003 (including SP1). Security-Assessment.com, a security company based in Australia and New Zealand, reported the flaw to Microsoft, the software giant said.

Microsoft Security Bulletin MS07-006 addresses an elevation of privilege vulnerability that exists in Windows XP and Windows Server 2003 (but not in Windows 2000 SP4 or Windows Vista). This flaw, which Microsoft gave an "important" rating, had not been publicly disclosed before yesterday.

Microsoft Security Bulletin MS07-007 fixes an important elevation of privilege vulnerability affecting only Windows XP SP2. Microsoft says an unchecked buffer in the Windows Image Acquisition service could enable an attacker to gain complete control of an affected system, as long as he was already logged on. This vulnerability was privately reported and hasn't been exploited in the wild, Microsoft says.

The final three patches are closely related, and were discovered by the same group of people.

Microsoft Security Bulletin MS07-011 fixes a memory corruption condition in the OLE Dialog component of all recent versions of Windows (sans Vista). This flaw (like the flaws discussed below) could be used by an attacker to take over a computer if he tricked a user into opening a malformed RTF file. However, the flaw only rates as important on Microsoft's scale because it would be difficult for a criminal to execute an attack over the Web, according to the company.

Microsoft Security Bulletin MS07-012 fixes the MFC Memory Corruption Vulnerability, another remote code execution flaw that afflicts all recent versions of Windows (except Vista, of course) and some Visual Studio releases.

Microsoft Security Bulletin MS07-0013 fixes the Microsoft RichEdit flaw in all versions of Windows (except Vista) and all recent versions of Office (except Office 2007 and the Excel and PowerPoint viewers in Office 2003 SP2).

Microsoft credited the security software company Immunity and the European Aeronautics Defense and Space Company (EADS) with finding the problems addressed by MS07-011, MS07-012, and MS07-013. The company says none of these flaws has been exploited yet.

For more information on yesterday's Patch Tuesday or to sign up for today's security Webcast, go to the Microsoft TechNet Security Center.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
MKS

You're at Bat, and It's Time for a "Change Up".
Change Up to MKS Implementer and MKS Integrity
for Application Lifecycle Management - Move to MKS NOW and SAVE!

Has the recent acquisition of your change management provider thrown you a curve ball?
Is your vendor offering you loosely coupled tools, leaving you with information gaps and a technical headache? Can your current change management solution meet your needs
today - and tomorrow?

This isn't slow pitch.

The world of software development is moving at a rapid pace and you need to be ready to meet new demands. Change management is a vital component of your business -- the foundation for compliance, for modernization, for process control and risk management. You need a vendor that can keep up with these business demands.

A winning team, less risk, more advantages.

Join a team that is reliable, steadfast and dedicated to delivering tangible business results to System i5 customers as well as cross-platform teams. MKS is firmly dedicated to the change management market and has a clear product roadmap. MKS's Implementer for software change management and deployment has a reputation of technical excellence with large and small customers across every industry.

Make the change up - move to MKS NOW and SAVE!

For a limited time MKS will help you make the move with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and
coverage of the application lifecycle as well as a platform to manage both System i5 and
cross-platform development.

Visit the Products section of the MKS website for more information on
Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

Download the white paper:
"Managing iSeries Development in the Application Modernization Era."

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it, request a
FREE change management process assessment by our team of experts with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or sales@mks.com
For more information, visit www.mks.com/solutions

Editor: Alex Woodie

Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Vision Solutions: Get facts on managed availability and business continuity to eliminate downtime
Wolf Computer Consulting: Reliable service and affordable rates for business computing needs
COMMON: Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California


Faster i5 595 Rumored to Be Imminent IBM Moves OS/400 V5R3 Towards the Door, Rejiggers i5 Prices Zend Upgrades Commercial Add-Ons for Its PHP Engine As I See It: The Elusive Leader


Chip Makers Strut Their Stuff at ISSCC AMD Delivers Faster and Cooler Rev F Opteron Chips Zend Upgrades Commercial Add-Ons for Its PHP Engine As I See It: Measuring What Counts


Lawson Brings Former Intentia ERP Suite Closer to Landmark iSeries Web Adventures Call with iSafari Valid Tech Assimilates Biometric Authentication Into the Enterprise Gumbo's Dumpster Dives Into i5/OS Spool Files


IBM Previews Future z/OS, z/VM Mainframe Operating Systems Top Mainframe Stories From Around the Web Chats, Webinars, Seminars, Shows, and Other Happenings


Opportunities, Not Problems! SQL Cross Platform Interoperability: The Proper Function Admin Alert: Selectively Sending Break Messages to Active Users


February 3, 2007: Volume 9, Number 5 January 27, 2007: Volume 9, Number 4 January 20, 2007: Volume 9, Number 3 January 13, 2007: Volume 9, Number 2 January 6, 2007: Volume 9, Number 1 December 30, 2006: Volume 8, Number 50


HP Puts Solaris on More X64 Servers, Partners for Solaris Emulation Sun Details Server Chip Roadmaps at Analyst Summit AMD Delivers Faster and Cooler Rev F Opteron Chips The X Factor: One Socket to Rule Them All


Four Hundred Monitor's Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:
IOUG MKS Lakeview Technology Gabriel Consulting Group Vibrant Technologies

TABLE OF CONTENTS

Microsoft Moves Forward on Post Vista Windows OSes

Microsoft Issues a Dozen Security Patches, Fixes Security Tools

Chip Makers Strut Their Stuff at ISSCC

Microsoft Launches Windows Mobile 6

But Wait, There's More:

IBM Challenges Microsoft Lock-In with 'Open Client Solution' . . . Microsoft Promises Not to Sue Over XPS Implementations . . . Microsoft and Novell Tout Technical Collaboration Efforts . . . IBM Brings Drive-Based Encryption to Midrange Tape Library . . . Security Vendors Form PCI Alliance . . . EMC's VMware IPO Spin Off: The Birth of a New Bubble? . . .

The Windows Observer

BACK ISSUES