Patchday: Microsoft has fixed 19 vulnerabilities in their products

As announced last Friday in their advance notification, Microsoft haspublished seven security bulletins on May Patchday. These updates onsecurity advisories fix a total of 19 security vulnerabilities in thevendor’s products.

One update closes the critical vulnerability inWindows DNS Server, whereby manipulated RPC packages caused buffer overruns in the DNS service; they could be used to infiltrate malicious code, which was then executed by the service with SYSTEM privileges. The cumulative update of security bulletin MS07-027 fixes six bugs in Microsoft’s Internet Explorer, some of which could also be exploited for malicious code execution.

The patch for Excel closes three vulnerabilities in the spreadsheet analysis tool, which could be used by manipulated documents to infiltrate malicious code. A patch is also provided for three critical security holes in Word, which have beenactively exploited for quite some time. Security bulletin MS07-025 fixes a security problem occurring when manipulated drawing objects are processed in Microsoft Office, a vulnerability also rated as critical by the software vendor.

Updates have also been released for Microsoft’s Exchange Server to close four holes. When decoding manipulated e-mails in MIME format, attackers were able to gain complete control over an Exchange Server; manipulated iCal calendar objects and IMAP requests could cause the mail server to crash, and Outlook Web Access was vulnerable to cross-site scripting.

Microsoft also provides a patch for their Cryptographic API Component Object Model (CAPICOM), which could allow arbitrary code execution when certificates are processed. This bug affects applications using CAPICOM, the platform SDK and the BizTalk servers of the Redmond-based vendor.

Finally, an update has been released for the Malicious Software Removal Tool (MSRT), which checks computers for infections and helps remove any infection found. Since these updates fix several critical security vulnerabilities, users are advised to install them as soon as possible.

See also:

• Microsoft Security Bulletin Summary for May 2007, security bulletin summary for May 2007
• Vulnerabilities in Microsoft Excel Could Allow Remote CodeExecution (934233), security bulletin MS07-023
• Vulnerabilities in Microsoft Word Could Allow Remote CodeExecution (934232), security bulletin MS07-024
• Vulnerability in Microsoft Office Could Allow Remote CodeExecution (934873), security bulletin MS07-025
• Vulnerabilities in Microsoft Exchange Could Allow RemoteCode Execution (931832), security bulletin MS07-026
• Cumulative Security Update for Internet Explorer(931768), security bulletin MS07-027
• Vulnerability in CAPICOM Could Allow Remote Code Execution(931906), security bulletin MS07-028
• Vulnerability in RPC on Windows DNS Server Could AllowRemote Code Execution (935966), security bulletin MS07-029

(mba)