Patch Tuesday: Nine Security Tweaks for the Windows Stack

Published: August 22, 2007

by Timothy Prickett Morgan

While IT Jungle was away on holiday last week and Alex Woodie, the editor of The Windows Observer, was coping with a few days of grogginess following the birth of his first child, Jonathan, Microsoft was busy putting the finishing touches on its Patch Tuesday security patches for the month of August. This time around, there are six critical patches and three important patches for Windows and related programs.

Here is a rundown on the six critical patches first, and they all plug security holes that would otherwise allow hackers to create malware or viruses that would in turn allow remote execution of code on Windows machines.

Microsoft Security Bulletin MS07-042 plugs a security hole in the XML Core Services that is embedded in Windows 2000, Windows XP, Windows Vista, Office 2004, and Office System 2007. Microsoft Security Bulletin MS07-043 discusses how OLE Automation, a feature of Windows 2000, Windows XP, Office 2004 for Mac, and Visual Basic 6, can be hacked to allow remote code execution. These patches should also be applied to Windows Server 2003, but are less critical in the Microsoft severity ratings. Excel has its own vulnerability, which is plugged with patches explained in Microsoft Security Bulletin MS07-044; this patch is only critical for Office 2000 SP3 and is rated as important for Office XP SP3, Office 2003 SP2, and Office 2004 for the Mac. Microsoft Security Bulletin MS07-045 is a critical patch to Microsoft's Internet Explorer browser that copes with three separate vulnerabilities that allow remote code execution. This set of patches is critical on Windows 2000 SP 4 with IE 5.01 SP4 or IE 6 SP1 and on Windows XP SP2 with IE 6; on Windows Server 2003 with IE 6 this is only a moderate security risk, and on Windows XP SP2 and Windows Vista with IE 7 it is rated as merely important. Microsoft Security Bulletin MS07-046 explains how a flaw in the Graphics Rendering Engine in all Windows releases except Windows Server 2003 SP2 and Windows Vista can allow a hacker crafting images to break into your machine and run code; this flaw has been patched. Finally, the last critical patch comes in Microsoft Security Bulletin MS07-050, which explains how the Vector Markup Language used across the entire Windows line can be exploited if you don't take your Windows Update medicine.

As the security bulletin also explains, three important patches were put out to plug holes in Windows Media Player, Windows Gadgets, and in Virtual PC and Virtual Server. The first two vulnerabilities allow remote execution of code, while the latter allows elevation of user privileges that in turn would allow a user on a guest virtual machine to run code on the host operating system or another guest VM.

RELATED STORIES

A Potpourri of Fixes Marks A Slow Patch Tuesday

Microsoft Patches 17 Flaws in Client Products

Patch Tuesday Yields Seven Critical Patches for 19 Flaws

Microsoft Patches Animated Cursor Flaw in Windows

Microsoft Skips Patch Tuesday for March