 | | | | | Exchange 2007 is following a new
servicing model ... Security updates will require that you have the
latest update rollup installed.
Christopher Budd,
security program managerMicrosoft Security Response Centre
(MSRC) |
| | | | | |
| |
|
With the May 2007 monthly security bulletin release, we are
releasing a security update (MS07-029) for the Windows Domain Name
System (DNS) Server vulnerability that we first discussed last
month in
Microsoft Security Advisory 935964. In addition to MS07-029, we
are releasing six new security bulletins.
I will give you a brief overview of the circumstances around
MS07-029. After that, I will cover important information about the
other updates releasing this month to help you with your planning
and deployment. Before that, though, I will highlight some Support
Lifecycle dates to help with your planning.
Microsoft Support Lifecycle Update
Public security support for Windows Server 2003 SP0 (RTM)
expired with the April 2007 security bulletin release. There is no
longer public security support for Windows Server 2003 SP0 (RTM).
Windows
Server 2003 Service Pack 1 (SP1) and
Windows Server 2003 Service Pack 2 (SP2) are the currently
supported versions of Windows Server 2003, and we encourage all
customers to be on one of these supported versions to ensure
continued public security support.
Next, I want to note that
Windows Server 2003 SP2 will be made available through
Automatic Updates (AU) beginning June 12. If you use AU and have
not installed Windows Server 2003 SP2 and do not want it installed
automatically by AU, you should follow the
Microsoft
instructions made available.
At the end of April, a new version of Windows Server Update
Services (WSUS) 3.0 was released. Support for Software Update
Services (SUS) 1.0 will expire with the July 10 monthly security
bulletin release. If you are a SUS 1.0 customer and have not yet
migrated to WSUS, you may want to evaluate WSUS 3.0. There will be
no support for deploying new security updates using SUS 1.0 after
the July 10 release, so it's important that you complete your
migration by that date to ensure no disruption of the delivery of
security updates for your environment. You can get more information
about WSUS 3.0 at the
WSUS Web site.
Public security support for two SQL Server service packs will
also end with the July 10 security bulletin release. SQL Server
2000 Service Pack 3a and SQL Server 2005 Service Pack (RTM) will be
expired. We encourage customers on these versions to upgrade to SQL
Server 2000 Service Pack 4 and SQL Server 2005 SP1 before the July
10, 2007, deadline.
As always, you can get more information on the
Microsoft Support
Lifecycle dates for your planning.
MS07-029
If you are a regular reader of the
Microsoft Security
Response Centre blog, then you're probably up to date with the
latest information around the DNS vulnerability that MS07-029
addresses.
We became aware of a limited attack targeting a new
vulnerability in the Windows DNS Server on April 12, 2007. We
initiated our
Software Security Incident Response Process to investigate the
issue and published
Microsoft Security Advisory 935964 the following morning with
workarounds customers could implement to protect against attempts
to exploit the vulnerability while we worked on a security update.
MS07-029 is the security update that resolves this issue.
Throughout the life of the situation, we've been constantly
monitoring and working with partners in the
Microsoft
Security Response Alliance to provide protections through
security products such as antivirus, intrusion detection and
intrusion prevention systems. Attacks remained limited throughout
the life of the situation, and our teams and partners identified a
total of five pieces of malicious software that attempted to
exploit the vulnerability as of this writing. We believe the
attacks were limited in part due to customers' deploying the
workarounds that we recommended in the advisory.
Even though attacks remain limited, because they are active, we
encourage customers to make this update their highest priority for
testing and deployment. The security update will not undo any
workarounds you may have deployed. This means that your deployment
plan will need to include steps to remove the workarounds. If you
have deployed the workarounds, you should keep those in place until
you have deployed the security update and rebooted your system. At
that point, you can go ahead and remove the workarounds you've
implemented.
MS07-024
The next bulletin we encourage you to deploy with high priority
in your environment is MS07-024. This bulletin addresses a
vulnerability in Microsoft Word first discussed on Feb. 14, in
Microsoft Security Advisory 933052. The vulnerability does not
affect Word 2007 but does affect all other currently supported
versions of Microsoft Word. Our initial investigation indicated
this was subject to
very limited and targeted attacks to Word. Our ongoing
monitoring of the situation has indicated that the scope of attacks
has remained limited throughout the life of the issue. Once again,
although attacks have been very limited and targeted, we encourage
you to test and deploy this with high priority.
MS07-026
MS07-026 is a bulletin for Microsoft Exchange that addresses a
total of four vulnerabilities. Two of these vulnerabilities affect
Exchange 2007. Because this is the first bulletin for Exchange
2007, I want to note a couple of things specific to Exchange 2007
to help with your planning and deployment.
First, Exchange 2007 is following a new servicing model. Among
other things, this means that you should plan to regularly update
your Exchange systems with the provided update rollups. Security
updates will require that you have the latest update rollup
installed.
The
Exchange
team has made more information available on this issue. Also
note that Exchange 2007 is only supported on 64-bit systems.
Although you can test Exchange 2007 on 32-bit systems, that is not
a supported configuration.
Exchange 2007 on 64-bit systems is fully supported by Microsoft
Baseline Security Analyser (MBSA) 2.0.1, WSUS 2.0 and WSUS 3.0, and
Systems Management Server (SMS) 2003 Inventory Tool for Microsoft
Updates (ITMU). There is no support for detection and deployment of
security updates for Exchange 2007 on 32-bit systems.
Finally, I want to call your attention to the attack against
MIME Decoding vulnerability — CVE-2007-0213 in this bulletin.
Because this vulnerability could be exploited through processing a
malformed e-mail, we encourage you to test and deploy this update
with high priority.
MS07-023 and
MS07-025
I want to call out a couple of things regarding MS07-023, our
bulletin for Microsoft Excel. One of the vulnerabilities we're
addressing in this bulletin affects Excel 2007. However, the
vulnerability is in the processing of older Excel files -- it does
not affect the handling of the new file formats. If you are using
Excel 2007, one workaround you can put in place in your environment
would be to block access to the older Excel file type. This is
called out in the bulletin, but you can get more information about
the
Excel workaround.
As MS07-025 also affects Microsoft Office 2007, I wanted to note
that for your detection and deployment planning, Office 2007 is
fully supported by MBSA 2.0.1, WSUS 2.0 and WSUS 3.0, and SMS 2003
ITMU.
As we do each month, we'll be holding our regularly scheduled
TechNet Security Bulletin webcast on Wednesday, May 9, 2007, at 11
a.m. Pacific Time. The
TechNet webcast will be available for on-demand viewing.
In closing, remember that the June 2007 monthly bulletin release
is scheduled for Tuesday, June 12. I'll join you in the June
version of this column with important information to help with your
testing and deployment of the June security updates.