Patchday: Microsoft fixes 15 vulnerabilities
Microsoft's patches for June fix 15 vulnerabilities in its products. As announced in its advance notification, Microsoft has published a total of six security bulletins, four of which are critical.
The most comprehensive patch packet is MS07-033, which fixes a total of six vulnerabilities in Microsoft's Internet Explorer. One vulnerability is a continuation of the never-ending saga of COM objects that can be activated using ActiveX; as it was not designed for that purpose this can cause a critical memory corruption. Internet Explorer 7 and Vista are not affected by this vulnerability, but the new Microsoft browser on the latest Microsoft operating system is threatened by other critical vulnerabilities: an error in the speech control and accessing certain non-initialised objects could allow remote code execution – the injection and execution of code via a Web site.
The cumulative update of security bulletin MS07-034 fixes four bugs in Outlook Express and Windows Mail. It is interesting that this patch is rated critical only for Vista. Opening a specially crafted e-mail containing Universal Naming Convention (UNC) path information (\\server_name\volume_name\path) in Vista's Windows Mail could allow remote code to be executed. The other three vulnerabilities could disclose confidential information if a user visits a specially crafted web page using Internet Explorer. Microsoft claims they may allow cross domain information disclosure.
Vista users are unaffected by the other two critical vulnerabilities. According to the security bulletin MS07-031, the Secure Channel (Schannel) security package, which implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) internet standard authentication protocols for Internet Explorer, could allow remote code execution if a user views a specially crafted Web page using a web browser, or indeed uses another application that makes use of SSL/TLS.
The description of the last critical update is extremely vague. Security bulletin MS07-035 describes a privately reported vulnerability in the Win32 API that "does not correctly validate parameters passed to it in a function call" – no hint which function is affected. In the light of the sophisticated tools that are currently used to analyse patches, it remains to be seen whether this restrictive information policy will actually prevent this vulnerability from being exploited.
In addition, in MS07-030 Microsoft has also resolved two important vulnerabilities in Microsoft Office 2003 that could allow remote code execution if a user opens a specially crafted Visio file (.vss, .vsd or .vst). And last but not least, MS07-032 resolves a security vulnerability in Windows Vista that could allow local users with restricted privileges to access local user information data stores including administrative passwords contained within the registry and local file system. Microsoft has given this security update a Moderate severity rating.
As in previous months, Microsoft has released an update for its Malicious Software Removal Tool (MSRT), which checks the computer for known and widespread infections and helps remove them. Since these updates fix several critical security vulnerabilities, Windows users are advised to install them as soon as possible. For example, in the past, shortly after the patches have been released, Web sites have been published that take advantage of the security vulnerabilities to surreptitiously install spyware and trojan horses on the computers of unsuspecting victims.
- Microsoft Security Bulletin Summary for June 2007, Microsoft Security Bulletin Summary for June
- Vulnerability in Microsoft Visio Could Allow Remote Code Execution (927051), Security Bulletin MS07-030
- Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840), Security Bulletin MS07-031
- Vulnerability in Windows Vista Could Allow Information Disclosure (931213), Security Bulletin MS07-032
- Cumulative Security Update for Internet Explorer (933566), Security Bulletin MS07-033
- Cumulative Security Update for Outlook Express and Windows Mail (929123), Security Bulletin MS07-034
- Vulnerability in Win 32 API Could Allow Remote Code Execution (935839), Security Bulletin MS07-035