Microsoft drops 6 bulletins, fixing 11 vulnerabilities

Microsoft drops 6 bulletins, fixing 11 vulnerabilities

Summary: Microsoft's Patch Tuesday train arrived today with six bulletins covering at least 11 vulnerabilities, most carrying the company's highest severity rating.

SHARE:
107

Microsoft's Patch Tuesday train arrived today with six bulletins covering at least 11 vulnerabilities, most carrying the company's highest severity rating.

Microsoft OfficeAs previously reported, four three of the six bulletins are rated "critical. These cover code execution holes in Microsoft Excel, Windows Active Directory and the .Net Framework.

The two three other bulletins deal with a "moderate" information disclosure flaw in the Vista Firewall, and two"important" issues affecting IIS 5.1 on Windows XP SP2 and Microsoft Office Publisher 2007.

The July Patch Tuesday cheat-sheet:

MS07-036 -- Covers three different vulnerabilities in Microsoft Excel that could lead to complete PC takeover attacks. One of the three bugs was publicly disclosed before this patch release. These flaws affect the latest 2007 Microsoft Office System but the severity is downgraded for this version because of defense-in-depth mitigations built into the product.

MS07-037 -- This covers a remote code execution hole in Microsoft Office Publisher 2007. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) page. When a user views the .pub page, the vulnerability could allow remote code execution. Rated "important," it was discovered by researchers at eEye Digital Security in February, meaning that it took Microsoft about six months to deliver a fix. eEye reckons this patch is 73 days overdue.

[ ALSO SEE: Skeletons in Microsoft's Patch Day closet ]

MS07-038 -- This is the only patch in this month's batch that affects Windows Vista. It is an information disclosure issue in Windows Vista that could allow a remote anonymous attacker to send inbound network traffic to the affected system. It would be possible for the attacker to gain information about the system over the network. The bug was privately reported to Microsoft by Jim Hoagland and Ollie Whitehouse of Symantec.

MS07-039 -- Covers a pair of "critical" vulnerabilities in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition.

MS07-040 -- This update fixes at least three vulnerabilities in the .Net Framework. Microsoft says two of these bugs could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. One of these flaws was "partially disclosed" at the recent SyScan conference in Singapore and there were rumblings that Microsoft kept pushing off patching this issue for several months. Keep your eyes on Security-Assessment for more on this.

MS07-041 -- Contains a patch for an "important" remote code execution vulnerability in Microsoft Internet Information Services (IIS). An attacker could send specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2 to take complete control of an affected system. IIS 5.1 is not part of a default install of Windows XP Professional Service Pack 2.

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

107 comments
Log in or register to join the discussion
  • Vista is once again vindicated

    I was never under any doubt that vulnerabilities would be found that would target Vista. The difference is what those vulnerabilities are able to do. No vulnerability coming in through IE even has the ability to write [b]anything[/b] to the file system (thanks to Protected Mode). No Office vulnerability can "completely take over the system" thanks to UAC (although I've enjoyed this safety in Windows for 7 years now simply by removing myself from the Administrators group).

    While only time will tell if Vista will fare better in the pure "lets count the number of vulnerabilities" game, there is no doubt that it is already doing very well in the "let's analyze the impact of these vulnerabilities" department.
    NonZealot
    • Or, maybe...

      Researchers just aren't giving Vista bugs to Microsoft for free.

      _r
      Ryan Naraine
      • And maybe pigs are flying too.

        Sorry Ryan but without something to support your assertion why bother making it?
        ye
        • 0day shelf life

          0days have a long shelf life.

          http://blogs.zdnet.com/security/?p=358

          _r
          Ryan Naraine
          • Sorry, I need something more than this.

            Using the same reasoning I could say that OS X and Linux exploits are too valuable to release and therefore OS X and Linux are just as bad, security wise, as Windows was. While I'm at it I can say that pigs are flying but releasing proof is too valuable.

            As people who pariticpate in these forums know: I need verifiable facts.
            ye
          • Again prove what you are saying is fact YE .

            There is no need to put spins on this and include Mac OS X and Linux . Keep on topic
            son , this is another horrific Microsoft story . Oh Ye , you are definitely in DENIAL .
            Intellihence
          • Why are you even in here?

            I fail to see why you are even in the blog...go peddle your hippie views somewhere else.
            fr0thy2.
          • re:Why are you even in here?

            Well for starters because I can , tell me now that you think I shouldn't be here shill , and secondly my kids have a Windows XP box in there room . I went to Microsoft Update and all I received was the .net 1.1 and 2.0 update . Stop being a clueless fool drkr2004@ , here let me let you in the know . I have a Mac , I sure do , and my kids have Windows XP with Debian installed right alongside of it , as for my nephew , he wont touch Microsoft products . He prefers Ubuntu / Feisty Fawn . With all that said , you are now fully informed . Next time , before you make a stupid remark , get to know the people you are looking to insult , because currently you look like a complete idiot .
            I'm Ye, the MS SHILL .
          • Message has been deleted.

            evilkillerwhale@...
          • Evil: You have me confused.

            While I am a Mac user and prefer OS X over Windows and Linux (of which I use both
            too) you will not find me pretending that OS X is flawless. To the contrary I have been
            accused of being a Microsoft apologist having defended Windows from all the FUD
            posted by ABMers. I fully accept that ALL operating systems are vulnerable and don't
            pretend that OS X is any better than anything else. I also maintain that OS X's
            appearance of security has a lot to do with its market share (though that's not the
            whole story).
            ye
          • I see...

            You're trying to beat WinZelot, as NBM member of the month. How many "critical"
            flaws are being actively covered up by you hero's in Redmond? Going to the Church
            of Microsoft, to hear Steve and Billy chant is not getting facts. It's participation in the
            Microsoft religion.
            Rick_K
          • Again no facts, just rhetoric.

            .
            ye
          • heh...

            Most MS users make fun of MS. Most mac fanboys would die for 30 seconds on an Apple. Who has the more extremist outlook here?
            evilkillerwhale@...
        • Proof

          http://bizsecurity.about.com/b/a/000073.htm

          TripleII

          P.S. All crackers (not hackers, the story is wrong) should be taken behind the barn and shot.
          TripleII-21189418044173169409978279405827
          • This old unproven rumor again?

            Geez...it's from December 2006!
            ye
          • Why is it a rumor?

            This never happened either right, and they aren't trying to make money from their efforts?
            http://www.crime-research.org/news/05.02.2006/1803/

            Why would you think it is NOT happening?

            TripleII
            TripleII-21189418044173169409978279405827
          • Don't know as I haven't research it. However...

            ...a lot of "facts" presented about Windows is nothing more than people repeating urban legends without providing supporting facts (other than links to others posting the same). This is very similar to the .ANI exploit. Damn near everyone reported that it exists yet no facts could be found. The only "proof" were links to other postings that it existed.
            ye
          • Don't waste your time Triplell, Zealot & Ye are in denial . <NT>

            <NT>
            Intellihence
          • Leopard needs to just bug out...he's in denial as well.

            When your precious iPhone needs to be patched (oops too late) what are you going to do when the "NBM" people start bashing you. Are you going to be "in denial"
            fr0thy2.
          • re:Leopard needs to just bug out...he's in denial as well.

            Who is in denial ? If anything it is clueless fools like yourself that are . If anything Apple made a phone , did Microsoft ? How is Microsoft's ZUNE doing these days ? I haven't heard anything lately about it . Zune , supposedly the iPod killer , what a joke ! Get your facts straight kid , you are looking more foolish by the second ,,,


            "In a world without walls & fences , who needs windows & gates?"
            I'm Ye, the MS SHILL .