One Patch Tuesday leads to another
As announced, Microsoft has released four of the eight bulletins originally expected for the first Patch Tuesday in January 2007. Microsoft's Office products, including the Outlook e-mail client, now have nine fewer holes, most of which were critical; in addition, an urgent patch has been applied to a graphics component used by Internet Explorer. All of the bulletins concern holes that attackers may be able to use to inject and execute malicious code with user rights from the Internet.
The critical bulletin MS07-004 concerns a vulnerability in the library that displays graphics in the VML format (Vector Markup Language). Both the 32 and 64-bit versions of Windows 2000, XP, and Server 2003 are affected. The major entry point are the various versions of Internet Explorer that use the VML module to display graphics. Attackers may be able to exploit the programming flaw to inject arbitrary malicious code when surfers visit manipulated websites with Internet Explorer.
Bulletin MS07-003, also categorized as critical, describes how attackers can use specially prepared e-mails to execute arbitrary commands in Microsoft's Outlook 2000, XP, and 2003 from the respective Office suites. MS07-002, another critical bulletin, concerns the Excel spreadsheet and MS Office 2000, XP, 2003, Works Suite 2004 and 2005, and the Mac versions Office 2004 and v.X. Manipulated documents, containing malicious code, can trip up the program and cause it to begin to executing the contained code.
Users of the spell check for Brazilian-Portuguese should be especially careful not to accidentally check a paragraph of malicious code for typos before installing the patch. In some circumstances, this routine may install malicious software on your system if you are using version 2003 of Office, Visio, or Project. Bulletin MS07-001, which concerns this flaw, is only categorized as "important" because the Brazilian-Portuguese spell check is only used by a relatively small proportion of the user base and therefore does not represent a very attractive target.
But as a current overview by ISC demonstrates, a large number of critical security holes still plague Microsoft products, even though functioning exploits are already in circulation. In particular, by next Patch Tuesday a number of unprotected systems will probably fall victim to the exploits for the three unpatched holes in Word and the vulnerability in the ADODB ActiveX control, which has been known since September.
It remains unclear which four bulletins were retracted before this release today, nor are the reasons for retraction known. But Microsoft does say that users and admins should immediately start installing the patches that Microsoft is now distributing via its security update system for the vulnerabilities discussed above.
- Microsoft Security Bulletin Summary for January, 2007, Microsoft's summary for Patch Tuesday
- Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969), Microsoft Bulletin MS07-004
- Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938), Microsoft Bulletin MS07-003
- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198), Microsoft-Bulletin MS07-002
- Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585), Microsoft Bulletin MS07-001