The January 2007 monthly security bulletin has four new security
bulletins that address issues in Microsoft Windows and Microsoft
Office. Three of the bulletins are rated Critical while the
remaining one is rated Important.
To help you better understand some of the things you need to
know about this month's release, I'll first update you on the
status of the WSUSSCAN.CAB issue, help you understand how our
detection and deployment tools relate to our recently released
products, and then provide some information about MS07-001 so you
can better understand what systems are vulnerable.
Update: WSUSSCAN.CAB
In the December 2006
column I noted that for the January 2007
release we could have been forced to remove information about
security updates that were older but still current. I'm happy to
note that the information we removed for the December 2006
release provided enough space for information for the January
2007 release. This means that we have not removed any
information from the legacy WSUSSCAN.CAB for January 2007.
However, we do think we will need to remove information about
current security updates for the February 2007 release.
 |
| About Inside MSRC: | As part of a special partnership with
SearchSecurity.com, Christopher Budd, security program manager for
the Microsoft Security Response Center (MSRC), offers an inside
look at the process that leads up to "Patch Tuesday" and guidance
to help security professionals make the most out of the software
giant's security updates.
Also see:
Inside MSRC:
Visual Studio flaw, tool extensions
explained
Inside MSRC:
Microsoft details security tool
update |
|
| |
|
As a reminder, we will be providing support for the legacy
WSUSSCAN.CAB for the February 2007 and March 2007 releases. After
the March 2007 release, no new versions of the WSUSSCAN.CAB will be
posted.
We strongly encourage the deployment of the updated versions of
the Systems Management Server Inventory Tool for Microsoft Updates
(SMS ITMU v3) or Microsoft Baseline Security
Analyzer
(MBSA) 2.0.1, if you use it in offline-scan
mode. These updated versions use the new architecture and
previous versions will no longer be effective after the March
2007 release.
With the end of support for the legacy WSUSSCAN.CAB fast
approaching and the chance that we will be forced to remove
information about older but still current security updates for the
February release, it's increasingly important for customers to
deploy the updated versions as soon as possible.
Detection and Deployment Tools
This season we've seen a number of major new products released:
Windows Internet Explorer 7 (IE 7), the 2007 Microsoft Office
system and, of course, the Windows Vista operating system. Even
though this month doesn't have any updates for these products, as
these new products have been released, we've started getting
questions from customers about our support for the products through
our detection and deployment tools. So, to help with your planning,
I will give you an overview of how these new versions relate to our
detection and deployment tools.
Microsoft Update (MU) and Windows Server Update Services (WSUS)
provide full support for all three new products. So if you're
directing your users to MU or are using WSUS in your environment,
you already have support for these new products.
With SMS there are some differences in support based on the
version of the detection engine. The SUS feature pack that can be
used with both SMS 2.0 and SMS 2003 provides support for current
versions of Office, and will also support the 2007 Office release.
The SUS feature pack doesn't provide detection support for Windows
Vista or Internet Explorer 7. The latest version of the SMS ITMU
that can be used with SMS 2003 (released in November 2006) also
supports IE 7, in addition to providing support for the 2007 Office
release and Windows Vista. Because the SUS feature pack is the only
detection engine available for SMS 2.0, if you're planning on
introducing Windows Vista-based systems into your environment and
you're running SMS 2.0, you should consider upgrading your SMS
infrastructure to SMS 2003 so you can support the newest version of
the SMS ITMU. This, in addition to the support for the new
WSUSSCAN.CAB, is an excellent reason to upgrade to the latest
version.
MBSA 1.2.1 provides support through the Office Detection Tool
(ODT) for local detection for 2007 Office release updates. However
MBSA 1.2.1 does not provide support for Windows Vista or IE 7.
MBSA 2.0.1 provides full support for IE 7 and the 2007 Office
release. However, it only provides support for the remote scanning
of Windows Vista systems with some limitations, including support
only for offline security update scans from Microsoft Update. Full
support for Windows Vista within MBSA will be provided by the
upcoming MBSA 2.1. We intend to have a beta version of MBSA 2.1
available in the next few months and a full release hopefully
sometime around summer 2007. So, if you're an MBSA user and have
the 2007 Office release or Windows Vista systems in your
environment, you'll need to scan these systems from a non-Windows
Vista machine for the short term, and should plan to upgrade to
MBSA 2.1 when it's released.
MS07-001
I want to briefly note the scope of affected systems related to
MS07-001. The vulnerability addressed by this bulletin is a in
the Office 2003 Brazilian Portuguese Grammar Checker, so for a
system to be vulnerable, it must have the Office 2003 Brazilian
Portuguese Grammar Checker installed. This means that the systems
which are vulnerable will be those with the Brazilian
Portuguese-localized version of Office 2003 installed, those with
Brazilian Portuguese installed as part of the Office 2003
Multilingual User Interface, and those that have installed
Brazilian Portuguese Language Proofing tools as part of Office
2003.
As always, the easiest way to identify systems to which this
update applies is to use Microsoft detection and deployment tools:
MBSA, MU, WSUS and SMS 2003 with the ITMU.
Conclusion
I hope this bulletin has been helpful for your analysis and
planning. Another helpful resource is our TechNet Security webcast.
Each month we do this webcast on the day after the security
bulletin is released to go over the bulletins. This month's webcast
will be on Wednesday, Jan. 10, 2007, at 11 a.m. PST. During the
live webcast broadcast, we'll answer your questions on the air and
review information about the month's bulletins. If you can't catch
the webcast live, you can always view it on demand. Register for
the
webcast.
Last, I want to remind you that the February 2007 monthly
release will be on Tuesday Feb. 13, 2007. To help you with
planning, our regular pre-release information will be posted on the
previous Thursday, Feb. 8, 2007, at
our advance page.
Finally, we'll post the February column here on the
SearchSecurity site, along with information to aid you with
analysis and planning.