The February 2007 monthly security bulletin has 12 new patches that
address issues in Microsoft Windows, Microsoft Office, Microsoft
Visual Studio, Step-by-Step Interactive Training, Microsoft Data
Access Components and the Malware Protection Engine that is used by
Windows Live OneCare, Microsoft Antigen, Microsoft Windows
Defender, Microsoft Forefront Security for Exchange Server and
Microsoft Forefront Security for SharePoint. Six of the bulletins
have a maximum severity rating of critical while the remaining six
have a maximum severity rating of important.
To help with your planning for this month, I'll first go through
the bulletins to call out information that we feel is particularly
important. I'll then provide you with some important updates
regarding our detection and deployment tools for this month.
Finally, I will close with information about a non-security update
that is nonetheless critical as it addresses the changes to
daylight-saving time in the United States.
MS07-014 and MS07-015 (Office)
In your planning and analysis of this month's bulletins, I want to
draw your attention to the two bulletins that apply to Microsoft
Office: MS07-014 and MS07-015. Both bulletins address a total of
five issues that have been publicly disclosed. Four of these have
been subject to very
limited, targeted attacks. Even though the attacks have been
very limited in scope, we urge you to make these your top priority
for testing and deployment.
MS07-014 addresses six vulnerabilities in Microsoft Word. While
these do not affect Microsoft Word 2007, all other supported
versions of Microsoft Word are vulnerable.
The bulletin is rated critical for Microsoft Word 2000 and
important for all other versions of Word, due to the presence of
additional security trust controls. Four of the vulnerabilities
were publicly disclosed in December 2006 and January 2007, with
three of these subject to very limited, targeted attacks.
In each case, when we learned of an issue we immediately
initiated our Software Security Incident Response Process
(
SSIRP) to investigate the issue and provide information about
its scope along with steps customers can take to protect
themselves. As soon as we had information on the situation, we
provided it through a posting to the
MSRC weblog. In addition, we've issued two
security advisories on these issues. To help you see which
issues we've posted information on, below is a table matching the
specific vulnerability by CVE number with the postings we've
made:
| CVE-2006-5994 | Dec. 5, 2006 | -
http://blogs.technet.com/msrc/archive/2006/12/06/microsoft-security-advisory-929433-posted.aspx
-
http://www.microsoft.com/technet/security/advisory/929433.mspx
|
| CVE-2006-6456 | Dec. 10, 2006 | -
http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
|
| CVE-2006-6561 | Dec. 15, 2006 | -
http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx
|
| CVE-2007-0515 | Jan. 26, 2007 | -
http://blogs.technet.com/msrc/archive/2007/01/26/microsoft-security-advisory-932114-posted.aspx
-
http://www.microsoft.com/technet/security/advisory/932114.mspx
|
MS07-015 addresses two vulnerabilities that affect all currently
supported versions of Microsoft Office except the 2007 Microsoft
Office system and Office v.X for Mac. One of these issues was
publicly disclosed and subject to very limited, targeted attacks.
Below is information that we have provided on this issue from our
SSIRP process:
| CVE-2007-0671 | Feb. 2, 2007 | -
http://blogs.technet.com/msrc/archive/2007/02/02/microsoft-security-advisory-932553-posted.aspx
-
http://www.microsoft.com/technet/security/advisory/932553.mspx
|
While the second vulnerability that is addressed in MS07-015 has
not been publicly disclosed, there is information about it that you
should be aware of. This addresses a vulnerability, PowerPoint
Malformed Record Memory Corruption Vulnerability - CVE-2006-3877,
that we first discussed in MS06-058 but later learned wasn't
effectively addressed by that update. We have addressed this in
MS07-015, and all our detection and deployment tools have been
updated to correctly offer and install MS07-015 to address this
vulnerability. We've also updated the original MS06-058 bulletin to
reflect this fact and point to MS07-015 to address that
vulnerability. I do want to note that the updates for MS06-058
protect against the other three vulnerabilities discussed in that
bulletin.
MS07-009 (MDAC)
The MS07-009 bulletin addresses a critical vulnerability in
Microsoft Data Access Components 2.5, 2.7 and 2.8. This issue was
publicly disclosed with proof-of-concept code for which there have
been no attacks. We provided information on this from our SSIRP
process when we first learned about it through the posting listed
below:
| CVE-2006-5559 | Oct. 27, 2006 | -
http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
|
While there are no active attacks against this issue, due to the
presence of publicly available proof-of-concept code, we encourage
you to prioritize the testing and deployment of this update along
with MS07-014 and MS07-015.
MS07-010 (Antivirus)
MS07-010 addresses a vulnerability that occurs in the Malware
Protection Engine when processing a specially crafted Portable
Document Format (PDF) files. The Malware Protection Engine is in
turn used in several Microsoft technologies and applications,
specifically Windows Live OneCare, Microsoft Antigen, Microsoft
Windows Defender, Microsoft Forefront Security for Exchange Server
and Microsoft Forefront Security for SharePoint. The vulnerable
code is not in these technologies, but in the Malware Protection
Engine; however, because the products use the Malware Protection
Engine, they provide a vector to exploit the vulnerability in the
Malware Protection Engine.
Because the vulnerability is in the Malware Protection Engine,
the protection for this vulnerability is delivered through updates
to the Malware Protection Engine itself. While different
applications use different means for updating the Malware
Protection Engine, they are all configured by default to receive
the updates automatically. If you have not changed this, then you
need take no action for this bulletin: Your system will be
protected automatically (and may already be protected by the time
you read this column). For more information about how these updates
are being delivered, please see the "Frequently Asked Questions
(FAQ) Related to This Security Update" section of MS07-010.
MS07-011, MS07-012, MS07-013 (RichEdit)
I would like to call your attention next to three bulletins with
inter-related aspects: MS07-011 through MS07-013. Although each
addresses a different vulnerability, the vulnerabilities all relate
to malformed OLE objects embedded within Rich Text Format (RTF)
documents.
An attempt to exploit this vulnerability would require an
attacker to create a specially malformed OLE object within a RTF
document, convince a user to open the RTF, either by sending it
through e-mail or posting it on a Web site, and then convince the
user to locate and manipulate the OLE object.
Each bulletin addresses a different vulnerability that could be
exploited in this way. They are separate updates and bulletins
because each vulnerability affects different products and code
paths. None of the updates are dependent on each other; you can
install them in any order. However, we do recommend that you
install all three updates for fullest protection.
MS07-011 contains a defense-in-depth change in addition to the
changes to address the vulnerability. This change helps address
attack vectors related to the vulnerability addressed in MS07-012.
This change helps mitigate attempts to exploit the issue addressed
by MS07-012, but we still recommend that you apply that update as
well.
Finally, MS07-012 contains updates that apply to redistributable
components within Visual Studio. Specifically, there are updated
versions of mfc70u.dll from Visual Studio .NET 2002 and mfc71u.dll
from Visual Studio .NET 2003. If you redistribute either or both of
these files as part of any application you've developed, you will
want apply the update to your development systems and then provide
updated versions of the application that contain these updated
files. If you use an application that contains these files, you
should contact the vendor for that application and work with the
vendor to determine whether you need an updated version of the
application.
Update: WSUSSCAN.CAB
For the February release, we are removing information about
active security updates from the legacy WSUSSCAN.CAB. In an effort
to minimize the impact of these removals, we have targeted older,
lower severity updates. To support the February release, we are
removing information about the following active security
updates:
- Information about all Moderate severity updates from 2004 and
2005
- Information about Important severity updates from
2004
A reminder that the month of March will be the last month we
provide support for the legacy WSUSSCAN.CAB. Because of that, we
strongly encourage you to upgrade to the latest versions of our
tools that use this file. You can get more information about the
situation in last month's column.
MBSA and Windows Vista
I noted in the January 2007 column
(http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1238217,00.html)
that MBSA 2.0.1 provides support for Windows Vista-based systems
only through remote scanning when run from a non-Windows
Vista-based system. Since the January 2007 column, we have posted
Microsoft Knowledge Base Article 931943
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;931943) to
discuss this issue in greater depth.
This Knowledge Base article provides guidance on how to use MBSA
2.0.1 on non-Windows Vista-based systems to scan Windows
Vista-based systems for security updates. The article also shares
information about limitations with MBSA 2.0.1 and Windows Vista.
Specifically, MBSA 2.0.1 cannot be used against Windows Vista-based
systems that retrieve updates from Windows Server Update Services
(WSUS). In addition, the vulnerability assessment capabilities of
MBSA 2.0.1 that scan for common weaknesses and misconfigurations do
not work against Windows Vista-based systems.
I also want to remind you that full support for Windows Vista
within MBSA will be provided by the upcoming MBSA 2.1. We intend to
have a beta version of MBSA 2.1 available in the next few months
and a full release hopefully sometime around summer 2007.
Daylight-Saving Time update
Finally, I wanted to call your attention to a very important
nonsecurity update for this month. Starting in the spring of 2007,
the start and end dates for daylight-saving time (DST) will change
to comply with the Energy Policy Act of 2005. This means that DST
dates in the United States will start three weeks earlier, at 2
a.m. on the second Sunday in March, and end one week later, at 2
a.m. on the first Sunday in November.
To ensure that system clocks update correctly under this new
schedule, we're making updates available for Windows (KB931836) and
Exchange 2003 (926666) systems. These updates are being made
available automatically to those customers who have enabled
automatic updates through Windows Update (WU) or Microsoft Update
(MU). In addition, these updates will be made available through
Software Update Services (SUS) and Windows Server Update Services
(WSUS). Note that the update for Windows, KB931836, is considered a
cumulative update because it contains both several previously
released timezone updates plus new additional changes. Because of
this, it's being published in the "Update Rollup category on WU,
MU, SUS, and WSUS. For those customers using Systems Management
Server Inventory Tool for Microsoft Updates, it will be included in
the ITMU and can be deployed using ITMU.
Even though this isn't a security update, it is a critical
update for all your systems, and we encourage you to test and
deploy it as quickly as possible, before the DST changes in March
2007.
You can also get information on the US Daylight Savings Time
change at our special Daylight Saving Time Help
and Support Center.
Last, I'd like to remind you about this month's security
bulletin webcast. It will be on Wednesday, Feb. 14, at 11 a.m. PST
(U.S. and Canada), and you can register for it
here
Our next security bulletin release is scheduled for Tuesday,
March 13, 2007. So I'll be back then with another column to help
with your planning for and deployment of the March bulletins.