Patch Tuesday: 7 bulletins, 19 flaws, all critical

Patch Tuesday: 7 bulletins, 19 flaws, all critical

Summary: Microsoft has released seven advisories -- all rated critical -- with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Vista is affected by 6 of the 19 flaws.

SHARE:

It's an all-critical Patch Tuesday.

Microsoft has just released seven advisories -- all rated critical -- with patches for at least 18 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser.

Five Six of the 18 19 vulnerabilities affect Windows Vista.

The batch of updates includes a promised fix for the Windows DNS RPC vulnerability that was being used in zero-day attacks last month.   

There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. 

Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws.

A cumulative IE update addresses five six potentially dangerous bugs.  There are the five six that apply to IE 7 on Windows Vista.

The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.

The raw details:

MS07-023: Three vulnerabilities in Microsoft Excel that could allow code execution attacks.  This applies to Office 2000 (SP3), Office XP, Excel 2002, Office 2003 (SP2), Excel 2003 (including Viewer), 2007 Office System and Office 2004 for Mac.

MS07-024: Three vulnerabilities in Microsoft Word that puts users at risk of PC takeover attacks.  One of these bugs were being exploited in zero-day attacks so treat this one with the highest possible priority if you depend on Microsoft Word documents.

MS07-025: Covers a single bug affecting the Microsoft Office software suite.  This carries a "critical" rating but the only version vulnerable to code-execution attacks is Office 2000.  The 2007 Office system is affected but the risk is lowered to "important."

MS07-026: This apples the Microsoft Exchange and provides patches for 4 different vulnerabilities.  Affected versions include Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007.  One of the 4 flaws is rated "critical" across the board.

MS07-027: This is the Internet Explorer patch that affects IE 7 on Windows Vista. In all, this cumulative update fixes 5 six different vulnerabilities that could lead to code execution attacks.  Three of the five six bring code execution risks to Vista users.  Exploit code for one of these flaws is publicly available.

MS07-028: A vulneriblity in CAPICOM that could allow remote code execution on BizTalk Server 2004.  The flaw lies in CAPICOM.Certificates, an ActiveX control that provides scripters (VBS, ASP, ASP.NET etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.

MS07-029: This addresses the code execution hole in Windows DNS RPC Interface that was discovered during zero-day attacks last month.  This update should be treated with the highest possible priority if you are running Windows 2000 or Windows Server 2003.  Exploit code and attack information is widely available. 

* NOTE: This post was update to reflect the accurate flaw count. 

[UPDATE: May 8, 2007 @ 5:23 PM]  Microsoft offers a free DVD5 ISO image file with all the March 2007 security updates. The image does not contain security updates for other Microsoft products. This DVD5 ISO image is intended for corporate administrators who manage large multinational organizations, who need to download multiple individual language versions of each security update and who do not use an automated solution such as Windows Server Update Services (WSUS).

Topics: Windows, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

127 comments
Log in or register to join the discussion
  • If you needed a reason to upgrade to Vista here it is.

    .
    ye
    • GOOD joke, ye ... like I'm gonna upgrade, to VISTA, ...

      ... an Exchange server or a Domain Controller running the DNS server (to address MS07-026 and MS07-029, respectively)!!

      <hyuk, hyuk, guffaw>

      WHAT is REALLY funny is Axey and Rockhead Davidson will prolly take yer suggestion SERIOUSLY! Now, I'm gonna bust a RIB on that'un!
      OButterball
      • Glad to hear you're seeing the light.

        .
        ye
        • Gawd, to be a fly on the wall ...

          ... about two minutes into that $250 phone call:

          Microsoft Tech: "Um, Mr. Rockhead? You CANNOT install Exchange Server on a Vista machine, not even Vista Ultimate."

          Rockhead: "WHAT!?!? Now you are sounding just like that OhBee character over on ZDNet!"

          Microsoft Tech: "Well, um, he's correct."

          Rockhead: <sound of spittle hitting the telephone receiver> "NOOO! He can NEVER be correct! Wahhh! Wahhh!"

          Microsoft Tech: "Cheer up, though, you CAN use Vista as a limited no-updates-required print server, as a person called No_Ax_Grinding_too_Much recommends to all HIS customers."
          OButterball
          • Speaking of...

            ...the Axey and Rockhead Show, where are they? I am curious how todays episode will be.
            Stuka
          • They are safely tucked away in the woodwork .

            I never could stand these <Mike> Cox-a-roaches .
            Intellihence
          • Strawman

            Come now. Are you so hateful of Microsoft that you need to resort to strawmen in
            order to relieve your anger?
            ye
          • Oh, pshaw, I don't hate MS ...

            ... "I love Big Brother." - Winston Smith, [i]1984[/i]

            <chuckle> ;)
            OButterball
          • Then how do you explain your strawman?

            .
            ye
          • Why, the same way you explain ...

            ... your willingness to jump to the defense of a multi-billion dollar software company who regularly disseminates half-truths and full-lies about their competitors: Some of us just gotta do what we gotta do, eh?
            OButterball
          • What defense?

            I merely said that if someone was looking for a reason to upgrade to Vista the answer is right here.

            Now why do you continue to build strawmen?
            ye
          • It should have been obvious by now, ye:

            I jes LOVE pullin' YER chain!

            <yuk, yuk> :D
            OButterball
          • Your mom must be proud.

            .
            ye
          • Sssh! My Mom ain't in earshot!

            Otherwise, she'd scold me fer poking fun at the other kid.

            Back to topic, though, I see these latest exploits as an even greater reason to hold off on upgrading to Vista; especially since, as Mary Jo says, MS is starting to really flip-flop on the whole SP1 issue:

            http://blogs.zdnet.com/microsoft/?p=427
            OButterball
          • Hey Ye year to date , Windows has more flaws than Mac OS X .

            Just thought I should rub it in . I see Vista has 6 security updates this month . Do you need any more proof , or are you still saying that Vista is invincible . I'd like to hear your take ?
            I'm Ye, the MS SHILL .
          • Strawman. Never said it was invincible.

            Just more secure than Linux and OS X.
            ye
          • Microsoft pencils in seven bug fixes for next/this week

            Microsoft pencils in seven bug fixes for next week
            Critical Windows DNS server, Word patches likely to be released

            http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018590&intsrc=hm_list

            "If Microsoft issues the seven updates, users will have seen 29 bulletins in the first four months of the year, and at least 49 patches; more than half of those will have been marked critical. During the first five months of 2006, Microsoft issued 20 updates with 36 patches."

            Now that sure is a lot more flaws than what Apple has , and the majority of these flaws are highly critical . If you want to rant about the Quicktime/Flaw , let's be fair about it , because it affect Windows to .
            Intellihence
          • They also have more users and more software

            They also have more users and more software
            fr0thy2.
          • Whooo-Boy!

            Yes they are. They are frustrated that with a PC, I can play any game out there, but to play the same game on a Mac, I gotta jump through a bunch of hoops.

            They are further incensed that now virus makers are targetting macs, and since mac is open-source, they have no defense.

            :)
            VonHelton
          • Show me , where are the Mac visuses ?

            I haven't seen one in all the time I've been a Mac user . I've been a Mac user since the mid 90's .
            Intellihence