The April 2007 monthly security bulletin release is our first
regularly monthly release since
February 2007. Since the
last bulletin release, we issued MS07-017 one week early as an
out-of-band release to help protect customers, and released five
new security updates as part of our regular monthly release
process.
In this month's column, I'll discuss information about MS07-017
as well as the five April updates. And since this is the first
bulletin release to cover Windows Vista, I'll focus this month on
information you'll need to know about the new operating system.
I'll close with a final update for you on the WSUSSCAN.CAB
issue.
MS07-017
MS07-017 addresses seven vulnerabilities in Microsoft Windows.
The most noteworthy of these vulnerabilities is the Windows
Animated Cursor Remote Code Execution Vulnerability
(CVE-2007-0038). On March 28 we learned through a Microsoft
Security Response Alliance (MSRA) partner that this vulnerability
was being used in an attack. We mobilized our Software Security
Incident Response Process (SSIRP) as soon as we got the report and
worked through the night to investigate and publish Microsoft
Security Advisory 935423.
This vulnerability had been responsibly reported to us by a
security researcher in late December 2006 and had been under
investigation with a security update under development. At the time
of the attack, that update was planned for release as part of our
April 2007 monthly security bulletin release. The update under
development addressed this vulnerability as well as six other
vulnerabilities.
Based on the risk to customers from the attack, we evaluated our
options and determined that the best way to protect customers was
to expedite the final testing of the planned update and release it
early. We worked on final testing through the weekend to ensure the
security update met the level of quality appropriate to be released
out of band on Tuesday April 3. Sunday evening, April 1, we posted
a special edition of the
Microsoft advance notification and noted on
the
MSRC blog that we would be releasing the
update for this issue early.
The pre-release testing uncovered one known issue affecting
Windows XP SP2 users with the RealTek Audio control panel. As we do
as part of our regular process, we documented this
issue in the Master Knowledge Base article referenced in the
Caveats section of the security bulletin. For MS07-017, this is
Microsoft Knowledge Base Article 925902.
Specifically, a hotfix available through
Microsoft Knowledge Base Article 935448resolves
this issue.
Since the release, we have learned of three other applications
that have issues after the update for MS07-017 is applied. The
hotfix associated with Microsoft Knowledge Base Article 935448
addresses these issues.
Based on customer feedback, as part of the April monthly release
we've released this hotfix through Windows Update (WU), Microsoft
Update (MU) and Automatic Updates (AU) to deliver the hotfix
automatically as a High Priority Non-Security update. Only
customers with the security update for MS07-017 and any of these
four applications will receive the update. Windows Server Update
Services (WSUS) and Software Update Services (SUS) customers can
approve the hotfix to have it installed on systems with the
security update for MS07-017 and any of these four
applications.
Because this is a hotfix and not a security update, the
Microsoft Baseline Security Analyzer (MBSA) and Systems Management
Server (SMS) security update tools will not automatically identify
or deploy it. However, SMS customers can build custom detection and
deployment packages, and all customers can identify if the hotfix
is installed using the information in the Knowledge Base
article.
Windows Vista and the April 2007 security updates
We have also released our first security updates for Windows Vista.
Since this is the first month for updates for the new operating
system, I wanted to help you understand how this month's updates
apply to Windows Vista.
Two of the five bulletins for Windows in April 2007 apply to
Windows Vista: MS07-017 and MS07-021. The other three bulletins
that apply to Windows — MS07-019, MS07-020 and MS07-022 — do not
apply to Windows Vista at all. Of the seven vulnerabilities
discussed in MS07-017, only two of the issues apply to Windows
Vista.
Windows Vista and detection and deployment tools
I have briefly discussed in previous columns some of our support
for Windows Vista with our detection and deployment tools. I wanted
to review this information and cover how all our detection and
deployment tools provide support for Windows Vista.
Windows Update, Microsoft Update, Automatic Updates
Windows Update (WU), Microsoft Update (MU) and Automatic Updates
(AU) fully support Windows Vista in the same way they support
Windows XP. By default, Windows Vista will utilize Windows Update
for Automatic Updates for its updates, just like Windows XP SP2. We
strongly recommend that you opt-in for Microsoft Update either by
clicking the "Get updates for more products" in the Windows Update
control panel or by going to the
Microsoft
Update Site. Also, I want to note that both Microsoft Office
2007 and Windows Live OneCare will offer to enable your system for
Microsoft Update. Using Microsoft Update will give you broader
protections by providing updates for applications such as Microsoft
Office in addition to those updates you would get through Windows
Update.
There are some small changes to the Windows Update client in
Windows Vista. Specifically, the Windows Update client is now
located as an applet in the Control Panel and security updates
appear under the Important category.
Windows Server Update Services and Windows Software Update
Services
Windows Server Update Services (WSUS) fully supports Windows Vista
just as it does Windows XP SP2. WSUS also provides the same updates
as Microsoft Update, so if you run a small or medium-sized
organization, we strongly encourage you to consider putting WSUS in
place. Software Update Services (SUS) does not support Windows
Vista. Also, SUS is nearing the end of support, so if you're a SUS
customer evaluating Windows Vista, you should include an upgrade to
WSUS as part of your planning.
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) will provide full
support for Windows Vista with upcoming version 2.1, which is in
beta testing. MBSA 2.1 beta is available today from the
MBSA site and fully
supports this month's updates for Windows Vista.
If you are an MBSA 2.0.1 customer, you can use MBSA 2.0.1 to
scan Windows Vista systems remotely for this month's updates. MBSA
1.2.1 does not provide any support for Windows Vista. If you are an
MBSA 1.2.1 customer evaluating Windows Vista, you should include an
upgrade to MBSA 2.1 as part of your planning. You can check the
Microsoft
Knowledge Base article 931943 for information on MBSA support
for Windows Vista. Systems Management Server Systems Management
Server (SMS) provides support for Windows Vista through SMS 2003
Inventory Tool for Microsoft Updates (ITMU) version 3, which was
released in November 2006. If you are an SMS ITMU customer, you
already should be running version 3 to support the new WSUSSCAN.CAB
format. Earlier versions of the SMS ITMU and the SMS Security
Update Inventory Tool do not provide support for Windows Vista. If
you use SMS and are evaluating Windows Vista, you should include
SMS 2003 ITMU version 3 as part of your planning.
Final Update on WSUSSCAN.CAB
In this column, I've been keeping you updated on the situation with
the WSUSSCAN.CAB and alerting you to the impending end of support
for the old legacy WSUSSCAN.CAB and the impact of that on our
detection and deployment tools. I have a final update. As a
reminder, the changes to the architecture of the WSUSSCAN.CAB to
move to the WSUSSCN2.CAB file mean that anyone using MBSA 2.0 in
offline-scan mode needs to use MBSA 2.0.1 and anyone using SMS ITMU
needs to use SMS ITMU version 3. These tools needed to be updated
to support the new architecture. You can get more information on
the new WSUSSCN2.CAB file in the
Microsoft Knowledge Base article 926464.
The February 2007 release was the last release with support for
the legacy WSUSSCAN.CAB. There is no support in the April releases
for the legacy WSUSSCAN.CAB. This means that if you are using the
tools I mentioned and haven't updated to the latest versions, those
tools will not help provide protection for the bulletins released
today.
Conclusion
In closing, I want to remind you that we'll be discussing all of
April's bulletins during our regularly scheduled April 2007
TechNet security bulletin webcast.
Our May 2007 monthly security bulletin release is scheduled for
Tuesday May 8, and the May 2007 advance notification will be posted
the Thursday before, on May 3, 2007. I'll join you once again in
this space next month with important information to help you plan
for and deploy any updates we release in May.