Administrators should be aware of the expiration of support for
Software Update Services (SUS) 1.0 this month. In addition,
administrators should evaluate, test and deploy security updates
associated with six new security bulletins affecting Microsoft
Windows, Microsoft Office and the Microsoft .NET Framework.
Administrators should pay particular attention to MS07-039, which
addresses a vulnerability in servers running Active Directory.
As I do each month, I'll cover this important information in
more detail to help with your risk assessment, planning and
deployment.
SUS 1.0 expiration
First, I have to correct an error in last month's
Inside the MSRC column regarding the expiration of support for
SUS 1.0. The July release, not the June release, marks the last
release that we will be providing updates through SUS 1.0. That
means if you are still running SUS 1.0, you will receive this
month's security updates. However, you will not receive any further
security updates through SUS 1.0.
It is critical that you upgrade immediately from SUS 1.0 to a
supported version of Windows Server Update Services (WSUS): either
WSUS 2.0 or the new WSUS 3.0. More information ins available about
WSUS
2.0 and WSUS 3.0.
Servers running Active Directory: MS07-039
MS07-039 addresses a vulnerability in Windows 2000 server and
Window Server 2003 servers running Active Directory. This is a
remote code execution vulnerability in processing Lightweight
Directory Access Protocol (LDAP) requests. Because the
vulnerability is in processing LDAP requests, an attacker could
attempt to exploit the vulnerability by sending a malformed LDAP
packet to an Active Directory server over port 389. The most likely
impact of an attack would be a denial of service, however it is
possible to run code in the security context of the operating
system. On Windows 2000 server, the LDAP interface on Active
Directory servers allows anonymous, unauthenticated access. On
Windows Server 2003, this interface requires authentication,
meaning an attempt to exploit the vulnerability would require valid
logon credentials.
Because Active Directory is a critical piece of the networking
infrastructure, administrators should make testing and deploying
the updates for this issue a high priority. In addition, Windows
2000 server customers in particular may want to consider
implementing workarounds such as Internet protocol security (IPSec)
until they have completed the testing and deployment of the
updates.
Windows XP Professionl SP2 running Internet Information
Services: MS07-041
MS07-041 addresses a remote code execution vulnerability on
Windows XP Professional Service Pack 2 systems that are running
Internet Information Services (IIS) 5.1 only. The impact of a
successful attack would be code in the operating system's security
context. Because IIS is more commonly associated with server
systems like Windows Server 2003, I want to clarify the scope of
products affected by this bulletin.
Windows 2000 servers running IIS 5.0 and Windows Server 2003
servers running IIS 6.0 are not affected by this vulnerability. If
you are running IIS on either of these platforms, you do not need
to take any action because your systems are not vulnerable.
MS07-041 applies only to IIS 5.1, which is only available for
Windows XP Professional. The specific component that has the
vulnerability was only included with IIS 5.1 on Windows XP
Professional. Windows Vista does not contain the vulnerability.
Finally, note that IIS 5.1 is not installed by default on
Windows XP SP2. If you're not running IIS 5.1, then you do not need
to apply this update. However, if you are running IIS 5.1, you
should make this update a priority.
Binary data files: MS07-036 and MS07-037
Now I'll share details around the two bulletins for Microsoft
Office this month:
MS07-036 and
MS07-037. The MS07-036 bulletin addresses three code execution
vulnerabilities in currently supported versions of Excel. It is
rated critical for Excel 2000 and important for all other versions
of Excel. The MS07-037 bulletin, rated as important, addresses a
code execution vulnerability in Microsoft Publisher 2007.
The vulnerabilities in question are related to how Excel and
Publisher handle malformed data elements in binary data files. If a
user were to open a specially malformed binary data file either
from a Web site or as an e-mail attachment, an attacker's code
could take any actions on the system that the user could take.
With MS07-036, only one of the three vulnerabilities affects
Excel 2007. More importantly, the vulnerability is specific to
Excel spreadsheets in the binary file format; the new default Open
XML Excel 2007 file format is not affected. This means that Excel
2007 and Excel 2003 customers can take extra steps to protect
themselves by using the Microsoft Office Isolated Conversion
Environment (MOICE) and restricting the opening or saving of types
of files (sometimes called "file blocking"). I discussed these
options in last month's column in relation to
Microsoft Security Advisory (937696). If you are using Office
2003 or Office 2007, you can use these two tools to provide extra
protection until you deploy the security update. Together, these
tools will help prevent Office 2003 or Office 2007 users from
opening Excel binary data files directly, which protects against
malicious malformed Excel binary data files.
You can find more detail on these workarounds in the security
bulletin, MS07-037.
The MS07-037 bulletin affects Publisher 2007 only. However,
unlike Excel 2007, Publisher 2007 continues to use a binary data
file format rather than an XML-based data file format. So the
workarounds that can provide protection for Excel 2007 by
leveraging the new Office Open XML file formats cannot protect
against malformed Publisher binary data files.
Information disclosure via Teredo: MS07-038>
The
MS07-038 bulletin addresses an information disclosure
vulnerability in Windows Vista. Specifically, it is possible for an
attacker to utilize the Teredo interface to bypass firewall rules
and obtain information about the user's system. There is no
possibility of code execution from this vulnerability.
The Teredo interface provides transition support for TCP/IP
version 6 networking when these systems are behind TCP/IP version 4
Network Address Translators (NATs). In the case of this
vulnerability, when the Teredo interface is running, it can respond
to anonymous requests to return the system's Teredo address or
information about what services are running. For an attacker to
exploit the vulnerability, the Teredo interface must be active. By
default, the Teredo interface is not active when the network
profile is set to "public". However, a user could activate the
Teredo interface without realizing it by clicking on a specially
formed link. In addition, some networking services such as Remote
Assistance or Meeting Space will activate the Teredo interface by
default.
While this is an information disclosure issue only, we encourage
customers to apply this security update to their affected
systems.
Conclusion
Finally, I want to share a reminder that we'll be holding our live
webcast to address questions about this month's security bulletin
with our subject matter experts on Wednesday, July 11, 2007, at 11
a.m. PDT. Mike Reavey and I will cover this month's release, then
answer listeners' questions live on the air. If you can't
participate in the live webcast, you can always listen to it later
on-demand. You can
register for it at this location.The August 2007 monthly bulletin release is schedule for Tuesday
Aug. 14. I'll be back then with information you can use for your
assessment and deployment of that month's security updates.