Microsoft Patches a Septet of Critical Flaws
- By Stephen Swoyer
- May 8, 2007
Microsoft Corp. today published seven new fixes for "critical" vulnerabilities
in its Windows, Office, Exchange, Internet Explorer and BizTalk Server products.
As promised, today's patch haul includes
a fix for a flaw
in Microsoft's Windows DNS service. Last month, Redmond published a security
advisory warning the existence of "limited attacks" targeting
a DNS vulnerability in Windows 2000 Server (SP4) and Windows Server 2003 (all
versions). That flaw, if successfully exploited, could allow a remote code execution
scenario, Microsoft confirmed; in some cases, officials conceded, an attacker
could even run code in the all-powerful Local System context.
Although Microsoft released fixes for both Windows 2000 Server and Windows
Server 2003, it also warned that older, unsupported versions of the Windows
Server product (namely, Windows NT 4.0) might also be vulnerable. Officials
stressed that users of legacy Windows platforms should either migrate to a supported
OS or, alternately, arrange with Microsoft for custom support options.
Today's other "critical" updates all patch flaws that, if exploited,
could result in remote execution vulnerabilities. They include:
It's been a rough
year for Microsoft's Office products, and that trend only continued this
month, with fixes on tap for a host of Office-related vulnerabilities -- including
remote code execution flaws in Microsoft Word, Microsoft Excel and Microsoft
Office as a whole.
To recap: Microsoft confirmed the existence of three vulnerabilities in Word,
- a Word array overflow vulnerability
- a Word document stream vulnerability
- a Word RTF parsing vulnerability
The three vulnerabilities affect, in one way or another, all supported versions
of Word except Word 2007. Word 2000 is susceptible to all three vulnerabilities,
according to Microsoft, which characterizes the potential impact of the flaws
as "critical" in Word 2000 environments. Likewise, Word 2002 is vulnerable
to all three flaws -- although Microsoft characterizes its potential exposure
as "important" instead of critical.
Elsewhere, Word 2003 is vulnerable to two out of the three (the sole exception
being the Word document stream vulnerability), and Microsoft Word for Mac is
likewise vulnerable to at least two of the vulnerabilities (the exception being
the document stream flaw). According to Microsoft, the document stream vulnerability
has been the source of known exploit activity; neither of the other two
Word vulnerabilities had previously been disclosed, however, nor is there any
evidence (to date) of exploit code in the wild.
Redmond also patched a trio of Excel vulnerabilities, at least one of which
affects Excel 2007. These include:
- an Excel BIFF record vulnerability
- an Excel set font vulnerability
- an Excel filter record vulnerability
Excel 2000 is hardest hit, overall, according to Microsoft; all three vulnerabilities
merit a "critical" impact assessment in that product. Excel 2002,
Excel 2003 and the Excel 2003 Viewer are susceptible to all three vulnerabilities,
as well -- although Microsoft characterizes the potential impact on these systems
as "important" instead of "critical."
Excel 2007 is susceptible to only one of the flaws -- the set font vulnerability
-- which is likewise described as "important." Microsoft Excel for
the Macintosh is susceptible to two of the three vulnerabilities (the exception
being the Excel BIFF record flaw).
None of the three had previously been disclosed, Microsoft officials confirmed,
and there's no evidence (to date) of exploit code in the wild.
The final Office patch actually replaces a previous
Microsoft security update. It fixes a new drawing object vulnerability that
affects all supported versions of Microsoft Office, including Office 2007.
This vulnerability was privately disclosed to Microsoft and there's no evidence
(to date) of exploit code in the wild, officials said.
The Exchange update actually patches four separate vulnerabilities in Microsoft's
Exchange Server product: an Outlook Web access script injection flaw, a malformed
iCal flaw, a MIME decoding flaw and an IMAP literal processing flaw.
Of these, only the MIME decoding vulnerability is linked to a potential remote
code execution exploit. It consistently merits a "critical" assessment
across Microsoft Exchange Server 2000 (SP3), Exchange Server 2003 (SP3) and
Exchange Server 2007.
Microsoft characterizes the other flaws as "important"; the Outlook
vulnerability could result in information disclosure while both the iCal and
IMAP flaws are linked to potential DoS scenarios.
Only Exchange 2000 (SP3) is susceptible to all four vulnerabilities (and, again,
only the MIME Decoding Vulnerability is assessed as "critical").
None of the four flaws had previously been disclosed and there's no evidence
of exploit code in the wild, Microsoft said.
Finally, Microsoft also patched a vulnerability in its CAPICOM and BizTalk Server
offerings. The flaw -- which Redmond describes as a CAPICOM.certificates vulnerability
-- affects CAPICOM and service packs 1 and 2 of BizTalk Server 2004.
BizTalk Server versions 2000, 2002 and 2006 are not affected, Microsoft confirmed.
The CAPICOM.Certificates flaw had not previously been disclosed, nor is there
any evidence of exploit code in the wild, Microsoft indicated.
NOTE: Microsoft had not provided any additional information about the IE update
as of press time.
Stephen Swoyer is a contributing editor for Enterprise Systems. He can be reached at [email protected].