X
Tech

Patch Tuesday: 7 bulletins, 19 flaws, all critical

Microsoft has released seven advisories -- all rated critical -- with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Vista is affected by 6 of the 19 flaws.
Written by Ryan Naraine, Contributor

It's an all-critical Patch Tuesday.

Microsoft has just released seven advisories -- all rated critical -- with patches for at least 18 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser.

Five Six of the 18 19 vulnerabilities affect Windows Vista.

The batch of updates includes a promised fix for the Windows DNS RPC vulnerability that was being used in zero-day attacks last month.   

There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. 

Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws.

A cumulative IE update addresses five six potentially dangerous bugs.  There are the five six that apply to IE 7 on Windows Vista.

The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.

The raw details:

MS07-023: Three vulnerabilities in Microsoft Excel that could allow code execution attacks.  This applies to Office 2000 (SP3), Office XP, Excel 2002, Office 2003 (SP2), Excel 2003 (including Viewer), 2007 Office System and Office 2004 for Mac.

MS07-024: Three vulnerabilities in Microsoft Word that puts users at risk of PC takeover attacks.  One of these bugs were being exploited in zero-day attacks so treat this one with the highest possible priority if you depend on Microsoft Word documents.

MS07-025: Covers a single bug affecting the Microsoft Office software suite.  This carries a "critical" rating but the only version vulnerable to code-execution attacks is Office 2000.  The 2007 Office system is affected but the risk is lowered to "important."

MS07-026: This apples the Microsoft Exchange and provides patches for 4 different vulnerabilities.  Affected versions include Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007.  One of the 4 flaws is rated "critical" across the board.

MS07-027: This is the Internet Explorer patch that affects IE 7 on Windows Vista. In all, this cumulative update fixes 5 six different vulnerabilities that could lead to code execution attacks.  Three of the five six bring code execution risks to Vista users.  Exploit code for one of these flaws is publicly available.

MS07-028: A vulneriblity in CAPICOM that could allow remote code execution on BizTalk Server 2004.  The flaw lies in CAPICOM.Certificates, an ActiveX control that provides scripters (VBS, ASP, ASP.NET etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.

MS07-029: This addresses the code execution hole in Windows DNS RPC Interface that was discovered during zero-day attacks last month.  This update should be treated with the highest possible priority if you are running Windows 2000 or Windows Server 2003.  Exploit code and attack information is widely available. 

* NOTE: This post was update to reflect the accurate flaw count. 

[UPDATE: May 8, 2007 @ 5:23 PM]  Microsoft offers a free DVD5 ISO image file with all the March 2007 security updates. The image does not contain security updates for other Microsoft products. This DVD5 ISO image is intended for corporate administrators who manage large multinational organizations, who need to download multiple individual language versions of each security update and who do not use an automated solution such as Windows Server Update Services (WSUS).

Editorial standards