For November 2007, the Microsoft Security Response Center (MSRC) is releasing two new bulletins that Windows administrators...
should evaluate for testing and deployment. One bulletin, MS07-061, is rated as Critical – the other, MS07-062, is rated as Important.
In this month's column, I'll review these two new bulletins. In addition, I'll provide some information about the two security advisories that have been released since last month's column – Microsoft Security Advisory 943521 and Microsoft Security Advisory 944653. Finally, I'll briefly cover the re-release of MS07-049, and help you to understand if this re-release applies to you and what actions you need to take if it does.
I wanted to look at MS07-062, the DNS Server spoofing bulletin, in some more detail to help you better understand the issue for your risk assessment.
First, it's important to note that MS07-062 addresses a spoofing vulnerability in the DNS Server service only; it does not apply to the DNS client service in Windows systems. This means that you will need to evaluate this security update only for your Windows 2000 and Windows Server 2003 systems running DNS.
However, while the vulnerability is in the DNS Server service, and you only need to apply the security update to server systems, it is important to understand that the impact of a successful attack can affect client systems.
The specific vulnerability can enable a rogue DNS server to respond to a legitimate DNS query from a vulnerable system and provide that vulnerable system with a malicious address in response to its query. The result: any traffic intended for the legitimate site would be redirected, instead, to the malicious site.
Because of the potential for end-user impact, we encourage you to evaluate this bulletin and test and deploy the update promptly.
MS07-061 and Microsoft Security Advisory 943521
MS07-061 addresses a code execution vulnerability in the Windows shell. The vulnerability affects Windows XP and Windows Server 2003 only. Windows Vista and Windows 2000 are not affected.
This vulnerability was publicly disclosed in Microsoft Security Advisory 943521, which we released on October 10, 2007. At the time of the advisory release, it was noted that we were not aware of any attacks against this vulnerability; however, on Oct. 25, we noted that we had become aware of limited attacks. At the time of the bulletin release, that information has not changed – we have not seen attacks become any more widespread.
While the initial disclosure and discussion of the vulnerability focused on Internet Explorer 7, our research into the issue has shown the actual vulnerability resides within the Windows shell, and not within Internet Explorer. Internet Explorer 7 is relevant to the issue, only in that the public discussion around the vulnerability focused on changes made in how Internet Explorer 7 interacts with the Windows shell. The vulnerability is present on Windows XP and Windows Server 2003 systems, even when Internet Explorer 7 isn't installed. Because of this, all Windows XP and Windows Server 2003 customers should apply the update, regardless of whether or not they have installed Internet Explorer 7.
Microsoft Security Advisory 944653
Microsoft Security Advisory 944653 was issued to let you know about the public disclosure of a vulnerability in a driver provided by Macrovision – secdrv.sys – which is included with Windows XP and Windows Server 2003. It is not included with Windows Vista or Windows 2000. We are also aware of limited attacks against this vulnerability.
Macrovision has released an updated driver that addresses this issue. There is a link to the appropriate page on the Macrovision site, which we've indicated in the "Suggested Actions" section of the security advisory. In addition, we are working with Macrovision to help them integrate their updated driver into our standard security update distribution channel. When we have created an update of appropriate quality for broad distribution through our channel, we will release it with a Microsoft Security Bulletin as part of our standard security bulletin process.
We encourage customers to review our security advisory and the Macrovision advisory to evaluate their risk and take appropriate actions for their environments at this time.MS07-049 Re-release
MS07-049 was re-released today, to address issues that affected a limited group when attempting to install the updates on Microsoft Windows systems. The issue is related to installation only –the updates, originally released in August, fully protect against the vulnerability discussed in the security bulletin when installed successfully. In addition, these issues did not occur for users installing the updates for Virtual PC for the Mac.
If you successfully installed the updates for MS07-049, then you need not take any action. However, if you encountered an issue when attempting to install the updates originally released in August, you should test and deploy the new versions of the updates released today.Conclusion
I want to encourage you to register for the live and on-demand November edition of our monthly security bulletin webcast. This month, the webcast will be broadcast live on Wednesday November, 14, 2007 at 11 a.m. Pacific Time. If you can't make it for the live webcast, you can also view it on-demand after it has aired.
As we do on each monthly webcast, we'll be reviewing information about the bulletins and advisories to help with your planning and deployment. We'll then take the questions that you submit and our room of subject matter experts will answer them live.
Finally, remember that the December 2007, monthly bulletin is slated for Tuesday, Dec. 11. Once again, we'll be back here with information about the December bulletins to help you with your planning and deployment.
Beginning in December, however, I will be handing the reins for this column over to my colleague Bill Sisk, security response communications manager, who is taking over my role for technical communications for the MSRC. I want to thank everyone at SearchSecurity, and all our readers, for helping to make this column so successful in the past year and a half. I know that Bill will do an excellent job in carrying this forward.