10 October 2007, 09:17

Microsoft Patch Tuesday: six instead of seven security bulletins

Microsoft has released a total of six security bulletins for October 2007. The Redmond-based company has resolved vulnerabilities rated as "Critical" in Internet Explorer, Outlook Express, Windows Mail and Kodak Image Viewer. These vulnerabilities could allow an attacker to remotely execute code and gain control of unpatched systems. A fix for the Windows remote procedure call (RPC) service and the SharePoint patch, which was postponed on September 2007 Patch Tuesday, were rated merely as "Important" bulletins since they can only be misused for denial of service attacks or elevation of privileges.

A cumulative security update has been issued containing three patch packages for Internet Explorer 5.5, 6 and 7. The first patch resolves an unexplained vulnerability that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Microsoft explicitly states that users with restricted rights on the system could be affected less than users who operate with administrative user rights. The other two patch bundles concern the browser's address field. Without the patches, attackers could possibly ensure that a trustworthy URL is displayed when a user clicks on a specially crafted link, but the content that is displayed could be from a completely different server that is under the attacker's control. This would make phishing attacks much easier to carry out, for example.

Unpatched versions of Outlook Express 5.5 and 6 and the Vista versions of Windows Mail could allow remote code execution in manipulated USENET messages due to an incorrectly handled malformed NNTP response. The expanded mailer version of Outlook that is part of Microsoft's office suite apparently does not contain the flaw. Due to a buffer overflow users who open a specially crafted Word file in Word 2000 or 2002 (both with Service Pack 3) could be infected with malware (MS07-060). Microsoft Office 2004 for Macs is also affected and should be patched.

A vulnerability in the RPC facility could be exploited by sending manipulated RPC authentication requests to vulnerable systems. The flaw affects all current versions of Windows but this time according to Microsoft only causes a crash or a reboot of the system. The vulnerability in Kodak Image Viewer only affects systems running Windows 2000 SP 4. However, systems running supported editions of Windows XP and Server 2003 may also be affected if they were upgraded from Windows 2000. According to Microsoft, the 64-bit editions and Vista are not affected by the problem.

The SharePoint vulnerability affects Microsoft SharePoint Services 3.0 in supported editions of Microsoft Windows Server 2003 and supported editions of Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that could result in elevation of privileges within the SharePoint site and might modify a user's cache data, which could result in the disclosure of confidential information.

According to the Microsoft Security Response Center Blog, it was decided not to issue a seventh bulletin as originally stated in October's Advanced Notification due to a "quality control issue." The blog also reports that Microsoft has re-released Bulletin MS05-004, which resolved a critical vulnerability in ASP.NET in early 2005 and is now available as Version 4.0. The only difference between the new version and the previous is that it includes Server 2003 Service Pack 2 and Vista as affected platforms.