Inside MSRC: Microsoft explains security bulletins

Column

Inside MSRC: Microsoft explains security bulletins

The February 2007 monthly security bulletin has 12 new patches that address issues in Microsoft Windows, Microsoft Office, Microsoft Visual Studio, Step-by-Step Interactive Training, Microsoft Data Access Components and the Malware Protection Engine that is used by Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint. Six of the bulletins have a maximum severity rating of critical while the remaining six have a maximum severity rating of important.

To help with your planning for this month, I'll first go through the bulletins to call out information that we feel is particularly important. I'll then provide you with some important updates regarding our detection and deployment tools for this month. Finally, I will close with information about a non-security update that is nonetheless critical as it addresses the changes to daylight-saving time in the United States.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Inside MSRC: Microsoft updates WSUSSCAN issue

Inside MSRC: Visual Studio flaw, tool extensions explained

Inside MSRC: Microsoft details security tool update

MS07-014 and MS07-015 (Office)

In your planning and analysis of this month's bulletins, I want to draw your attention to the two bulletins that apply to Microsoft Office: MS07-014 and MS07-015. Both bulletins address a total of five issues that have been publicly disclosed. Four of these have been subject to very limited, targeted attacks. Even though the attacks have been very limited in scope, we urge you to make these your top priority for testing and deployment.

MS07-014 addresses six vulnerabilities in Microsoft Word. While these do not affect Microsoft Word 2007, all other supported versions of Microsoft Word are vulnerable.

The bulletin is rated critical for Microsoft Word 2000 and important for all other versions of Word, due to the presence of additional security trust controls. Four of the vulnerabilities were publicly disclosed in December 2006 and January 2007, with three of these subject to very limited, targeted attacks.

In each case, when we learned of an issue we immediately initiated our Software Security Incident Response Process (SSIRP) to investigate the issue and provide information about its scope along with steps customers can take to protect themselves. As soon as we had information on the situation, we provided it through a posting to the MSRC weblog. In addition, we've issued two security advisories on these issues. To help you see which issues we've posted information on, below is a table matching the specific vulnerability by CVE number with the postings we've made:

CVE-2006-5994 Dec. 5, 2006
  • http://blogs.technet.com/msrc/archive/2006/12/06/microsoft-security-advisory-929433-posted.aspx
  • http://www.microsoft.com/technet/security/advisory/929433.mspx
    		•
    CVE-2006-6456 Dec. 10, 2006
  • http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
    • CVE-2006-6561 Dec. 15, 2006
  • http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx
    • CVE-2007-0515 Jan. 26, 2007
  • http://blogs.technet.com/msrc/archive/2007/01/26/microsoft-security-advisory-932114-posted.aspx
  • http://www.microsoft.com/technet/security/advisory/932114.mspx
    		•

    MS07-015 addresses two vulnerabilities that affect all currently supported versions of Microsoft Office except the 2007 Microsoft Office system and Office v.X for Mac. One of these issues was publicly disclosed and subject to very limited, targeted attacks. Below is information that we have provided on this issue from our SSIRP process:

    CVE-2007-0671 Feb. 2, 2007
  • http://blogs.technet.com/msrc/archive/2007/02/02/microsoft-security-advisory-932553-posted.aspx
  • http://www.microsoft.com/technet/security/advisory/932553.mspx

    • While the second vulnerability that is addressed in MS07-015 has not been publicly disclosed, there is information about it that you should be aware of. This addresses a vulnerability, PowerPoint Malformed Record Memory Corruption Vulnerability - CVE-2006-3877, that we first discussed in MS06-058 but later learned wasn't effectively addressed by that update. We have addressed this in MS07-015, and all our detection and deployment tools have been updated to correctly offer and install MS07-015 to address this vulnerability. We've also updated the original MS06-058 bulletin to reflect this fact and point to MS07-015 to address that vulnerability. I do want to note that the updates for MS06-058 protect against the other three vulnerabilities discussed in that bulletin.

    MS07-009 (MDAC)

    The MS07-009 bulletin addresses a critical vulnerability in Microsoft Data Access Components 2.5, 2.7 and 2.8. This issue was publicly disclosed with proof-of-concept code for which there have been no attacks. We provided information on this from our SSIRP process when we first learned about it through the posting listed below:

    CVE-2006-5559 Oct. 27, 2006
  • http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx

    • While there are no active attacks against this issue, due to the presence of publicly available proof-of-concept code, we encourage you to prioritize the testing and deployment of this update along with MS07-014 and MS07-015.

    MS07-010 (Antivirus)

    MS07-010 addresses a vulnerability that occurs in the Malware Protection Engine when processing a specially crafted Portable Document Format (PDF) files. The Malware Protection Engine is in turn used in several Microsoft technologies and applications, specifically Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint. The vulnerable code is not in these technologies, but in the Malware Protection Engine; however, because the products use the Malware Protection Engine, they provide a vector to exploit the vulnerability in the Malware Protection Engine.

    Because the vulnerability is in the Malware Protection Engine, the protection for this vulnerability is delivered through updates to the Malware Protection Engine itself. While different applications use different means for updating the Malware Protection Engine, they are all configured by default to receive the updates automatically. If you have not changed this, then you need take no action for this bulletin: Your system will be protected automatically (and may already be protected by the time you read this column). For more information about how these updates are being delivered, please see the "Frequently Asked Questions (FAQ) Related to This Security Update" section of MS07-010.

    MS07-011, MS07-012, MS07-013 (RichEdit)

    I would like to call your attention next to three bulletins with inter-related aspects: MS07-011 through MS07-013. Although each addresses a different vulnerability, the vulnerabilities all relate to malformed OLE objects embedded within Rich Text Format (RTF) documents.

    An attempt to exploit this vulnerability would require an attacker to create a specially malformed OLE object within a RTF document, convince a user to open the RTF, either by sending it through e-mail or posting it on a Web site, and then convince the user to locate and manipulate the OLE object.

    Each bulletin addresses a different vulnerability that could be exploited in this way. They are separate updates and bulletins because each vulnerability affects different products and code paths. None of the updates are dependent on each other; you can install them in any order. However, we do recommend that you install all three updates for fullest protection.

    MS07-011 contains a defense-in-depth change in addition to the changes to address the vulnerability. This change helps address attack vectors related to the vulnerability addressed in MS07-012. This change helps mitigate attempts to exploit the issue addressed by MS07-012, but we still recommend that you apply that update as well.

    Finally, MS07-012 contains updates that apply to redistributable components within Visual Studio. Specifically, there are updated versions of mfc70u.dll from Visual Studio .NET 2002 and mfc71u.dll from Visual Studio .NET 2003. If you redistribute either or both of these files as part of any application you've developed, you will want apply the update to your development systems and then provide updated versions of the application that contain these updated files. If you use an application that contains these files, you should contact the vendor for that application and work with the vendor to determine whether you need an updated version of the application.

    Update: WSUSSCAN.CAB

    For the February release, we are removing information about active security updates from the legacy WSUSSCAN.CAB. In an effort to minimize the impact of these removals, we have targeted older, lower severity updates. To support the February release, we are removing information about the following active security updates:

  • Information about all Moderate severity updates from 2004 and 2005
  • Information about Important severity updates from 2004

    A reminder that the month of March will be the last month we provide support for the legacy WSUSSCAN.CAB. Because of that, we strongly encourage you to upgrade to the latest versions of our tools that use this file. You can get more information about the situation in last month's column.

    MBSA and Windows Vista

    I noted in the January 2007 column (http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1238217,00.html) that MBSA 2.0.1 provides support for Windows Vista-based systems only through remote scanning when run from a non-Windows Vista-based system. Since the January 2007 column, we have posted Microsoft Knowledge Base Article 931943 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;931943) to discuss this issue in greater depth.

    This Knowledge Base article provides guidance on how to use MBSA 2.0.1 on non-Windows Vista-based systems to scan Windows Vista-based systems for security updates. The article also shares information about limitations with MBSA 2.0.1 and Windows Vista. Specifically, MBSA 2.0.1 cannot be used against Windows Vista-based systems that retrieve updates from Windows Server Update Services (WSUS). In addition, the vulnerability assessment capabilities of MBSA 2.0.1 that scan for common weaknesses and misconfigurations do not work against Windows Vista-based systems.

    I also want to remind you that full support for Windows Vista within MBSA will be provided by the upcoming MBSA 2.1. We intend to have a beta version of MBSA 2.1 available in the next few months and a full release hopefully sometime around summer 2007.

    Daylight-Saving Time update

    Finally, I wanted to call your attention to a very important nonsecurity update for this month. Starting in the spring of 2007, the start and end dates for daylight-saving time (DST) will change to comply with the Energy Policy Act of 2005. This means that DST dates in the United States will start three weeks earlier, at 2 a.m. on the second Sunday in March, and end one week later, at 2 a.m. on the first Sunday in November.

    To ensure that system clocks update correctly under this new schedule, we're making updates available for Windows (KB931836) and Exchange 2003 (926666) systems. These updates are being made available automatically to those customers who have enabled automatic updates through Windows Update (WU) or Microsoft Update (MU). In addition, these updates will be made available through Software Update Services (SUS) and Windows Server Update Services (WSUS). Note that the update for Windows, KB931836, is considered a cumulative update because it contains both several previously released timezone updates plus new additional changes. Because of this, it's being published in the "Update Rollup category on WU, MU, SUS, and WSUS. For those customers using Systems Management Server Inventory Tool for Microsoft Updates, it will be included in the ITMU and can be deployed using ITMU.

    Even though this isn't a security update, it is a critical update for all your systems, and we encourage you to test and deploy it as quickly as possible, before the DST changes in March 2007.

    You can also get information on the US Daylight Savings Time change at our special Daylight Saving Time Help and Support Center.

    Last, I'd like to remind you about this month's security bulletin webcast. It will be on Wednesday, Feb. 14, at 11 a.m. PST (U.S. and Canada), and you can register for it here

    Our next security bulletin release is scheduled for Tuesday, March 13, 2007. So I'll be back then with another column to help with your planning for and deployment of the March bulletins.