Microsoft drops 6 bulletins, fixing 11 vulnerabilities

Microsoft's Patch Tuesday train arrived today with six bulletins covering at least 11 vulnerabilities, most carrying the company's highest severity rating.

The two three other bulletins deal with a "moderate" information disclosure flaw in the Vista Firewall, and two"important" issues affecting IIS 5.1 on Windows XP SP2 and Microsoft Office Publisher 2007.

The July Patch Tuesday cheat-sheet:

MS07-036-- Covers three different vulnerabilities in Microsoft Excel that could lead to complete PC takeover attacks. One of the three bugs was publicly disclosed before this patch release. These flaws affect the latest 2007 Microsoft Office System but the severity is downgraded for this version because of defense-in-depth mitigations built into the product.

MS07-037 -- This covers a remote code execution hole in Microsoft Office Publisher 2007. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) page. When a user views the .pub page, the vulnerability could allow remote code execution. Rated "important," it was discovered by researchers at eEye Digital Security in February, meaning that it took Microsoft about six months to deliver a fix. eEye reckons this patch is 73 days overdue.

[ ALSO SEE: Skeletons in Microsoft's Patch Day closet ]

MS07-038 -- This is the only patch in this month's batch that affects Windows Vista. It is an information disclosure issue in Windows Vista that could allow a remote anonymous attacker to send inbound network traffic to the affected system. It would be possible for the attacker to gain information about the system over the network. The bug was privately reported to Microsoft by Jim Hoagland and Ollie Whitehouse of Symantec.

MS07-039 -- Covers a pair of "critical" vulnerabilities in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition.

MS07-040 -- This update fixes at least three vulnerabilities in the .Net Framework. Microsoft says two of these bugs could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. One of these flaws was "partially disclosed" at the recent SyScan conference in Singapore and there were rumblings that Microsoft kept pushing off patching this issue for several months. Keep your eyes on Security-Assessment for more on this.

MS07-041 -- Contains a patch for an "important" remote code execution vulnerability in Microsoft Internet Information Services (IIS). An attacker could send specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2 to take complete control of an affected system. IIS 5.1 is not part of a default install of Windows XP Professional Service Pack 2.