In this month's column, I will review the severity of the release at a high level. Then I will delve into the details of three of the bulletins. Lastly, I will talk about the release of Internet Explorer 7 via Windows Server Update Services (WSUS).
Before I get started, I want to mention, as always, that testing the security updates on non-production machines first will help you identify issues that may arise from the security update process. While all of our security updates are rigorously tested prior to public release, we cannot duplicate the multitude of diverse computing environments that exist. For comprehensive guidance regarding testing and deployment, please review the Update Management Process.
For February 2008, we are releasing 11 new security bulletins. Six of the bulletins are rated as Critical and fall under the classification of Remote Code Execution (RCE). That is, an attacker can run malicious code in the context of the logged in user. The remaining bulletins, rated as Important, fall under the classifications of Denial of Service (DoS), Elevation of Privilege (EoP) and Remote Code Execution (RCE), can cause a system to stop responding, grant a user greater privileges on a system and executes code in the context of the logged on user, respectively.
While it may seem that RCE's should always be rated as Critical, when they are rated as Important, there are mitigating circumstances that lower the threat. For example, a particular technology that is affected may not be enabled or installed on the system by default. In this month's security bulletin release, there are some bulletins where most of the products affected are Critical, but another product in the same bulletin is rated lower. For instance, Windows Server 2003 is rated lower than other versions of the product because the vulnerable service may be turned off by default. Also, Windows Server 2003 runs in a restricted mode, which is known as Enhanced Security Configuration and can lower the severity. A word of caution—these mitigations do not apply in all situations. I encourage you to go over the bulletins in detail to gain a complete understanding of the details.
MS08-005 and MS08-006
Both of these bulletins address vulnerabilities in Internet Information Services (IIS). We are releasing two IIS bulletins because these updates address different components, platforms, and versions of IIS. Therefore, you may deploy one and not the other depending on their platform. In the interest of increasing deployment efficiency for the common case, it was decided to publish the security updates separately.
Of the bulletins that are rated as Critical, Internet Explorer addresses, among other things, a vulnerability that is public and has been assigned Common Vulnerability and Exposure number CVE-2007-4790. We have not received any information to indicate that this vulnerability has been publicly used to attack customers and have not seen any examples of proof of concept code published. On some platforms, Internet Explorer 5.01 and Internet Explorer 6 have been rated as Critical. The remaining versions and platforms have a lower rating. Equally important, MS08-010 addresses a different vulnerability that is rated as Critical and encompasses all platforms.
Windows Internet Explorer 7 Installation and Availability Update
In tandem with today's release, we have released the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS) marked as an Update Rollup package. If you have configured WSUS to "auto-approve" Update Rollup packages (this is not the default configuration), Windows Internet Explorer 7 will be automatically approved for installation after February 12, 2008. For additional information regarding this release please review Knowledge Base Article 946202.
On a final note, there are a few things that I would like to bring to your attention. Windows Vista Service Pack 1 and Windows Server 2008 are not affected by any of the bulletins. Moreover, Microsoft Office 2007 is not affected by any of the bulletins being released this month.
If you haven't already, I would encourage you to become familiar with the next version of the Microsoft Baseline Security Analyzer (MBSA) – slated for release soon – which will have full Windows Vista support, as well as other enhancements.
I want to encourage you to take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, February 13, at 11:00a.m., Pacific Standard Time.
Adrian Stone, lead security program manager, and myself, security response communications manager, will review information about each bulletin to further aid in your planning and deployment. After our review session, we will answer your questions -- with information from our assembled panel of experts. If you can't make the live webcast, you can also access it on-demand.
Please take a moment and mark your calendars for the March 2008, monthly bulletin. The release is scheduled for Tuesday, March 11, 2008, and the advance notification is scheduled for Thursday, March 6, 2008. Look for the March edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.