Column

Inside MSRC: Visual Studio update affects multiple systems

For September 2007 we are releasing four new security bulletins. One of the bulletins, for Windows 2000 only, is rated as Critical. The remaining three are rated "important."

To help with your planning and risk assessment, in this months' column, I'll cover information to help you understand what systems are affected by MS07-052, the Crystal Reports bulletin, and MS07-053, the Services for UNIX bulletin.

First, though, I'll briefly recap some information that is important, and useful for your deployment infrastructure planning.

Expiration of support for MBSA 1.2.1
With the September release, we are one month away from the expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1. We will provide support for MBSA 1.2.1 for the October 2007 release, until Oct. 9, 2007. After that date, we will no longer provide support for MBSA 1.2.1 for new security updates. If you've not done so already, we strongly encourage you to begin upgrading to the latest version, MBSA 2.0.1. You can get

    Requires Free Membership to View

more information about MBSA 2.0.1 here.

About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:
Inside MSRC: Microsoft releases searchable update database

Inside MSRC: Microsoft Server flaw should be given high priority

Inside MSRC: Microsoft offers details on MOICE advisory, Outlook flaws

Microsoft Update Catalog
I discussed this in last month's Inside MSRC column, but because it can be such a valuable resource, I'll mention once again that we have another tool to help you deploy updates, including security updates: the Microsoft Update Catalog. This is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can use the Microsoft Update Catalog to distribute these updates through a corporate network, using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).

You can get more information on the Microsoft Update Catalog. Also, the Microsoft Update team has information on this, as well as other things, on their Technet blog.

MS07-052 and MS07-053
The MS07-052, the Crystal Reports for Visual Studio bulletin, and MS07-053, the Services for UNIX bulletin have slightly more complex scenarios in terms of the possible affected systems.

MS07-052 addresses a code execution vulnerability that can be exploited when opening a malformed Crystal Reports .RPT file. Crystal Reports is installed with some versions of Visual Studio. MS07-052 goes into more detail about what versions of Visual Studio include Crystal Reports for Visual Studio.

MS07-053 addresses an elevation of privilege vulnerability in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications within Windows.

Windows Services for UNIX 3.0 and 3.5 are available as separate downloads and have to be downloaded and installed. They are not part of any version of Windows by default. The Subsystem for UNIX-based Applications is a component of both Windows Server 2003 and Windows Vista but is not installed by default.

This means that, by default, no version of Windows is vulnerable to these issues. However, if you have enabled the Subsystem for UNIX-based Applications or downloaded and installed either Windows Services for UNIX 3.0 or 3.5, you should apply the security updates. You can get more information about the systems affected in MS07-053.

For both MS07-052 and MS07-053 you can use MBSA 2.0.1, this month's edition of the Enterprise Scan Tool (EST), WSUS and Systems Management Server (SMS) to identify systems that the security updates apply to. You can also use WSUS and SMS to deploy these updates.

Conclusion
On Wednesday, Sep. 12, at 11 a. m. Pacific Time, we'll be holding our monthly security bulletin webcast. Mike Reavey, and I, will be reviewing this month's bulletins and taking your questions and giving you answers prepared by our subject matter experts. If you can't join us for the live broadcast, you can also listen to the webcast later, on-demand.

As I noted earlier, the October 2007 bulletin release will be on Tuesday, Oct. 9; so be sure to mark your calendars for that and check back then for the next edition of this column with information to help you plan and deploy the release for your environment.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: