Patch Tuesday Yields Seven Critical Patches for 19 Flaws

Corrected: May 9, 2007

by Alex Woodie

Microsoft issued seven patches for 19 vulnerabilities in its products yesterday as part of the scheduled Patch Tuesday event. One of the patches fixes the critical DNS server flaw that malicious software writers have been exploiting for the last several weeks. The day also brought three patches affecting Office flaws, a cumulative update for Internet Explorer that includes a fix for a newly discovered vulnerability, and one patch each for new critical security problems found in BizTalk Server and Exchange Server.

For the first time in recent memory, all of the fixes that Microsoft issued on its monthly Patch Tuesday event are deemed critical, meaning that they are remotely executable and that administrators should do their best to apply the patches as soon as possible--right after testing them for compatibility with current systems and applications, of course.

In terms of severity, Microsoft Security Bulletin MS07-029 is probably the most critical of the seven patches issued yesterday. This patch fixes the zero-day DNS server flaw that hackers have been exploiting since April 13.

Microsoft had said it was considering issuing an out-of-band patch for this flaw, which affects all Windows Server operating systems going back to Windows 2000. Instead, it waited until yesterday to issue the patch, giving it more time to test the patch, which is probably a good thing considering the mission critical nature of the Windows DNS server and the fact that Active Directory heavily relies on it (exploits of the DNS flaw do not appear to be widespread). Microsoft credits SANS ISC Handlers and the Information Security Office at Carnegie Mellon University with helping it patch this flaw.

Another important patch that should be a priority in your patch-and-test cycle is Microsoft Security Bulletin MS07-026, which fixes four flaws in all recent versions of Exchange Server, including Exchange Server versions 2000, 2003 Service Pack 1 (SP1) and SP2, and 2007. While Microsoft is not aware of any attack code on the Internet for these vulnerabilities, it is likely just a matter of days before there is.

Of particular concern with MS07-026 is the impact the Outlook Web Access (OWA) Script Injection Vulnerability could have on users. Minoo Hamilton, senior security researcher for nCircle, a network security research firm, says this vulnerability is similar to the DNS Server flaw in terms of the impact it can have.

"There are two key issues here: The first is that this vulnerability can take Exchange users by surprise if they have a preview pane operating. In this case they don't actually have to open the e-mail or click on an attachment, and this makes this vulnerability more dangerous than other MS Office application vulnerabilities," Hamilton says. Microsoft credits Izecom with finding the OWA vulnerability, Determina Security Research with finding the Malformed iCal Vulnerability, and iDefense with finding the IMAP Literal Processing vulnerability.

Another critical patch users should keep their eye on is Microsoft Security Bulletin MS07-027, a cumulative update for Internet Explorer that addresses five separate flaws, each of which is a remotely executable flaw that could give attackers complete control over an affected system. Only one of these flaws, the COM Object vulnerability, was previously disclosed to the public before yesterday; Microsoft claims it's not currently being exploited.

Another critical patch users should keep their eye on is Microsoft Security Bulletin MS07-027, a cumulative update for Internet Explorer that addresses five separate flaws, each of which is a remotely executable flaw that could give attackers complete control over an affected system. Only one of these flaws, the COM Object vulnerability, was previously disclosed to the public before yesterday; Microsoft claims it's not currently being exploited.

Another zero-day flaw in Microsoft Word, the Word Document Stream vulnerability, was fixed with Microsoft Security Bulletin MS07-024. In total, MS07-024 fixes three flaws that affect all versions of Word except for the recent Office 2007 version of the popular word processor program. Microsoft credits McAfee Avert Labs and AV-Test for finding the Word Document Stream problem, and iDefense for finding the RTF Parsing problem.

Among the less important, but still critical, patches issued yesterday are Microsoft Security Bulletin MS07-025, which fixes a remotely executable problem with how Office processes drawing objects. This flaw affects Office 2000 SP3, Office XP SP3, Office 2003 SP3, Office 2004 for Mac, and Office 2007.

Last but not least is Microsoft Security Bulletin MS07-028, which fixes a critical vulnerability in the CAPICOM component of BizTalk Server 2004 SP1 and SP2. Because CAPICOM uses an ActiveX control, an attacker who passes a malicious ActiveX control could take full control of a server running BizTalk Server, Microsoft business-to-business platform.

Amol Sarwate, manager of the vulnerability research lab at Qualys, noted that the shine on Office 2007 was a little less sparkly following the disclosure of multiple security flaws yesterday. "Microsoft 2007 software, including Exchange and Office, continue to come up vulnerable, demonstrating that the SDL [security development lifecycle] is not infallible," he says. "Also, it is worth noting that all but one of the vulnerabilities for this release were discovered by external sources pointing to the fact that Microsoft was in a reactive mode fixing issues rather than proactively finding them internally."

In closing, just a word of caution: While you were catching some much-deserved shut-eye last night, malicious software writers were burning the midnight oil trying to figure out ways to take advantage of the treasure trove of vulnerability info Microsoft provided them yesterday. You have maybe another day before the exploit code for these flaws begins to hit the Web, giving every script kiddy in the world a chance to knock on the door of your critical business systems.

"Typically what happens is Microsoft release patches today [Tuesday], and sometime this evening or by tomorrow spyware installers will be taking advantage of these flaws," Shavlik's Allen says. "That's always the danger with this stuff."

Microsoft also updated the Malicious Software Removal Tool, and issued a range of non-security related updates yesterday. The software giant is holding a Web cast today at 11 a.m. PDT to discuss the May Patch Tuesday. See for information on how to register.

RELATED STORIES

No Patch Yet for DNS Flaw

Windows Server DNS Flaw Being Exploited

Vista's Security Honeymoon Is Over

Microsoft Patches Animated Cursor Flaw in Windows

Microsoft Skips Patch Tuesday for March

This article has been corrected. Amol Sarwate's name was misspelled in the original article. IT Jungle regrets the error.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot