For September 2007 we are releasing four new security bulletins. One of the bulletins, for Windows 2000 only, is rated as Critical. The remaining three are rated "important."
To help with your planning and risk assessment, in this months' column, I'll cover information to help you understand what systems are affected by MS07-052, the Crystal Reports bulletin, and MS07-053, the Services for UNIX bulletin.
First, though, I'll briefly recap some information that is important, and useful for your deployment infrastructure planning.
Expiration of support for MBSA 1.2.1
With the September release, we are one month away from the expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1. We will provide support for MBSA 1.2.1 for the October 2007 release, until Oct. 9, 2007. After that date, we will no longer provide support for MBSA 1.2.1 for new security updates. If you've not done so already, we strongly encourage you to begin upgrading to the latest version, MBSA 2.0.1. You can get more information about MBSA 2.0.1 here.
Microsoft Update Catalog
I discussed this in last month's Inside MSRC column, but because it can be such a valuable resource, I'll mention once again that we have another tool to help you deploy updates, including security updates: the Microsoft Update Catalog. This is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can use the Microsoft Update Catalog to distribute these updates through a corporate network, using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).
MS07-052 and MS07-053
The MS07-052, the Crystal Reports for Visual Studio bulletin, and MS07-053, the Services for UNIX bulletin have slightly more complex scenarios in terms of the possible affected systems.
MS07-052 addresses a code execution vulnerability that can be exploited when opening a malformed Crystal Reports .RPT file. Crystal Reports is installed with some versions of Visual Studio. MS07-052 goes into more detail about what versions of Visual Studio include Crystal Reports for Visual Studio.
MS07-053 addresses an elevation of privilege vulnerability in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications within Windows.
Windows Services for UNIX 3.0 and 3.5 are available as separate downloads and have to be downloaded and installed. They are not part of any version of Windows by default. The Subsystem for UNIX-based Applications is a component of both Windows Server 2003 and Windows Vista but is not installed by default.
This means that, by default, no version of Windows is vulnerable to these issues. However, if you have enabled the Subsystem for UNIX-based Applications or downloaded and installed either Windows Services for UNIX 3.0 or 3.5, you should apply the security updates. You can get more information about the systems affected in MS07-053.
For both MS07-052 and MS07-053 you can use MBSA 2.0.1, this month's edition of the Enterprise Scan Tool (EST), WSUS and Systems Management Server (SMS) to identify systems that the security updates apply to. You can also use WSUS and SMS to deploy these updates.
On Wednesday, Sep. 12, at 11 a. m. Pacific Time, we'll be holding our monthly security bulletin webcast. Mike Reavey, and I, will be reviewing this month's bulletins and taking your questions and giving you answers prepared by our subject matter experts. If you can't join us for the live broadcast, you can also listen to the webcast later, on-demand.
As I noted earlier, the October 2007 bulletin release will be on Tuesday, Oct. 9; so be sure to mark your calendars for that and check back then for the next edition of this column with information to help you plan and deploy the release for your environment.