Administrators should be aware of changes to the
security bulletin and advanced notification. In addition, we've
released two security advisories in the past month -- an update to
the Windows installer and the
Microsoft Office Isolated Conversion Environment (MOICE). As I
do each month, I'll cover this important information in more detail
to help with your
risk assessment, planning and deployment for the security
updates.
New Advanced Notification Service (ANS) and Security Bulletin
Design Changes
Changes were made to the Advanced Notification Service (ANS) and
the format of our security bulletins for the June release. You may
have read about these changes in the
MSRC weblog post on May 16, 2007
The ANS is the information we provide on the Thursday before the
monthly bulletin release on the second Tuesday of the month. Based
on customer requests, we have provided this information to assist
customers with their advanced planning for the monthly release. The
goal is to provide enough information to assist with planning while
not increasing customer risk.
The original ANS provided information that was aggregated by
high-level product family (e.g., Microsoft Windows, Microsoft
Office). Under the new ANS, we're providing the same information
about the upcoming security updates, but now we provide it for each
individual bulletin that will be released rather than aggregating
it by high-level product family. We believe that this change
provides more granular detail to better help with planning without
presenting an unacceptable risk to customers. As with the original
ANS, this information is subject to change until the release of the
actual bulletin on the second Tuesday of the month.
The new security bulletin design is the product of ongoing work
with customers to make the security bulletins easier to use. We've
made many changes to the format, but the most important points to
note are that we've moved content to make it easier to find,
information is clearer, and we've eliminated repetition of
information where possible.
 |
| About Inside MSRC: | As part of a special partnership with SearchSecurity.com,
Christopher Budd, security program manager for the Microsoft
Security Response Center (MSRC), offers an inside look at the
process that leads up to "Patch Tuesday" and guidance to help
security professionals make the most out of the software giant's
security updates.
Also see:
Microsoft issues further guidance on Exchange update
Microsoft's Christopher Budd explains vulnerabilities affecting
Microsoft Exchange and other critical patch updates
Inside MSRC: Windows Vista security update explained
Microsoft's Christopher Budd details the first Windows Vista
security updates
Inside MSRC: Microsoft explains security bulletins
Microsoft issued 12 new security bulletins in February. Christopher
Budd of the Microsoft Security Response Center provides information
about the most important
fixes |
|
| |
|
Microsoft Security Advisory (927891) and Microsoft Security
Advisory (937696)
Since the May release, we have released two security advisories
to let you know about important security-related releases and
information. While we often use security advisories to inform
customers about security incidents, we also use them to advise
customers about important information that may relate to their
overall security. We believe you should review these two advisories
to learn about nonsecurity updates and information that may be
important to your overall security.
The first advisory,
Microsoft Security Advisory (927891), is to
let you know about an update to the Windows Installer. This
update addresses issues some customers have had when applying
updates from Windows Update, Microsoft Update and Automatic
Updates. Because this can affect your ability to apply security
updates as well as nonsecurity updates, we recommend that you
review this advisory and take the appropriate action for your
environment.
The second advisory,
Microsoft Security Advisory (937696), is to
let you know about the Microsoft Office Isolated Conversion
Environment (MOICE) and the ability to restrict opening or
saving types of files in Microsoft Office 2003 and the 2007
Microsoft Office system (sometimes called "file block"). These
two tools can be used together to make it easier to protect from
Microsoft Office files that may contain malicious software, such
as unsolicited Microsoft Office files received from unknown or
known sources. Because of this, we encourage you to review the
advisory and evaluate these tools for your environment,
especially if you are running Office 2003. More details can be
found on our
May 22 MSRC blog posting and in the
advisories themselves.
Detection and Deployment Tool Deadlines
There are two very important deadlines that relate to our
detection and deployment tools.
The June 2007 release marks the extended deadline for support
for Software Update Services (SUS) 1.0. After this release, no
further updates will be made available through SUS 1.0. If you're a
SUS 1.0 customer and have not already upgraded to Windows Server
Updates Services (WSUS) 2.0 or the new WSUS 3.0, we strongly
encourage you to do so right away. You can get more information
WSUS.
Also, our support for Microsoft Security Baseline Analyzer
(MBSA) 1.2.1 will end Oct. 9, 2007. All customers are encouraged to
upgrade to MBSA 2.0.1, the latest version of MBSA. For customers
using legacy products that are not supported by MBSA 2.0.1, Shavlik
Technologies provides a free MBSA 2.0.1 companion tool called
Shavlik NetChk Limited. You can get more information
about MBSA
2.0.1 and information about
Shavlik NetChk Limited.
MS07-031
MS07-031 addresses a vulnerability in the Secure Channel
(Schannel) security package in Windows. Schannel implements Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) for Windows.
These are best known for use with secure Web sites that use
HTTPS.
This is a code execution vulnerability in the operating system's
security context (LocalSystem) on Windows XP Service Pack 2. For
Windows 2000 and Windows Server 2003, this is a denial of service
vulnerability that could cause the system to stop accepting SSL/TLS
connection until the system is restarted. In the case of Windows
Server 2003, it could instead cause the system to restart. Windows
Vista is not affected by this vulnerability. Any attempt to exploit
the vulnerability would require convincing the user to navigate to
a malicious Web site.
This vulnerability was responsibly reported to us; however,
there are no workarounds for it. Also, in the case of this
particular vulnerability on Windows Server 2003, the Enhanced
Security Configuration does not mitigate attempts to exploit this
vulnerability. In light of these facts and the importance of
SSL/TLS, we encourage all customers to prioritize this security
update for deployment.
MS07-034
MS07-034 addresses information disclosure vulnerabilities in
Outlook Express 6 and Windows Mail and a code execution
vulnerability in Windows Mail.
The code execution vulnerability in Windows Mail was publicly
disclosed with proof-of-concept code in March 2007. The original
public discussion around the vulnerability indicated that user
interaction was required in any attempt to exploit the
vulnerability; however, our security teams' internal research
showed that in very specific, nondefault scenarios there is a
possibility of this vulnerability being exploited without user
interaction. Because we are conservative in our severity rating, we
have rated this issue as Critical. Because we have not identified
any workarounds for this particular vulnerability, we encourage you
to prioritize this security update for deployment.
Conclusion
We'll be holding this month's regularly scheduled
TechNet Security Bulletin webcast on
Wednesday, June 13 at 11 a.m. Pacific Time. It will also be
available for on-demand viewing.
In closing, I'd like to remind you that the July 2007 monthly
bulletin release is scheduled for Tuesday, July 10, 2007. I'll be
back then with information you can use for your assessment and
deployment of the July security updates.