Administrators should be aware of the expiration of support for Software Update Services (SUS) 1.0 this month. In addition, administrators should evaluate, test and deploy security updates associated with six new security bulletins affecting Microsoft Windows, Microsoft Office and the Microsoft .NET Framework. Administrators should pay particular attention to MS07-039, which addresses a vulnerability in servers running Active Directory.
As I do each month, I'll cover this important information in more detail to help with your risk assessment, planning and deployment.
SUS 1.0 expiration
First, I have to correct an error in last month's Inside the MSRC column regarding the expiration of support for SUS 1.0. The July release, not the June release, marks the last release that we will be providing updates through SUS 1.0. That means if you are still running SUS 1.0, you will receive this month's security updates. However, you will not receive any further security updates through SUS 1.0.
It is critical that you upgrade immediately from SUS 1.0 to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. More information ins available about WSUS 2.0 and WSUS 3.0.
Servers running Active Directory: MS07-039
MS07-039 addresses a vulnerability in Windows 2000 server and Window Server 2003 servers running Active Directory. This is a remote code execution vulnerability in processing Lightweight Directory Access Protocol (LDAP) requests. Because the vulnerability is in processing LDAP requests, an attacker could attempt to exploit the vulnerability by sending a malformed LDAP packet to an Active Directory server over port 389. The most likely impact of an attack would be a denial of service, however it is possible to run code in the security context of the operating system. On Windows 2000 server, the LDAP interface on Active Directory servers allows anonymous, unauthenticated access. On Windows Server 2003, this interface requires authentication, meaning an attempt to exploit the vulnerability would require valid logon credentials.
Because Active Directory is a critical piece of the networking infrastructure, administrators should make testing and deploying the updates for this issue a high priority. In addition, Windows 2000 server customers in particular may want to consider implementing workarounds such as Internet protocol security (IPSec) until they have completed the testing and deployment of the updates.
Windows XP Professionl SP2 running Internet Information Services: MS07-041
MS07-041 addresses a remote code execution vulnerability on Windows XP Professional Service Pack 2 systems that are running Internet Information Services (IIS) 5.1 only. The impact of a successful attack would be code in the operating system's security context. Because IIS is more commonly associated with server systems like Windows Server 2003, I want to clarify the scope of products affected by this bulletin.
Windows 2000 servers running IIS 5.0 and Windows Server 2003 servers running IIS 6.0 are not affected by this vulnerability. If you are running IIS on either of these platforms, you do not need to take any action because your systems are not vulnerable.
MS07-041 applies only to IIS 5.1, which is only available for Windows XP Professional. The specific component that has the vulnerability was only included with IIS 5.1 on Windows XP Professional. Windows Vista does not contain the vulnerability.
Finally, note that IIS 5.1 is not installed by default on Windows XP SP2. If you're not running IIS 5.1, then you do not need to apply this update. However, if you are running IIS 5.1, you should make this update a priority.
Binary data files: MS07-036 and MS07-037
Now I'll share details around the two bulletins for Microsoft Office this month: MS07-036 and MS07-037. The MS07-036 bulletin addresses three code execution vulnerabilities in currently supported versions of Excel. It is rated critical for Excel 2000 and important for all other versions of Excel. The MS07-037 bulletin, rated as important, addresses a code execution vulnerability in Microsoft Publisher 2007.
The vulnerabilities in question are related to how Excel and Publisher handle malformed data elements in binary data files. If a user were to open a specially malformed binary data file either from a Web site or as an e-mail attachment, an attacker's code could take any actions on the system that the user could take.
With MS07-036, only one of the three vulnerabilities affects Excel 2007. More importantly, the vulnerability is specific to Excel spreadsheets in the binary file format; the new default Open XML Excel 2007 file format is not affected. This means that Excel 2007 and Excel 2003 customers can take extra steps to protect themselves by using the Microsoft Office Isolated Conversion Environment (MOICE) and restricting the opening or saving of types of files (sometimes called "file blocking"). I discussed these options in last month's column in relation to Microsoft Security Advisory (937696). If you are using Office 2003 or Office 2007, you can use these two tools to provide extra protection until you deploy the security update. Together, these tools will help prevent Office 2003 or Office 2007 users from opening Excel binary data files directly, which protects against malicious malformed Excel binary data files.
You can find more detail on these workarounds in the security bulletin, MS07-037.
The MS07-037 bulletin affects Publisher 2007 only. However, unlike Excel 2007, Publisher 2007 continues to use a binary data file format rather than an XML-based data file format. So the workarounds that can provide protection for Excel 2007 by leveraging the new Office Open XML file formats cannot protect against malformed Publisher binary data files.
Information disclosure via Teredo: MS07-038>
The MS07-038 bulletin addresses an information disclosure vulnerability in Windows Vista. Specifically, it is possible for an attacker to utilize the Teredo interface to bypass firewall rules and obtain information about the user's system. There is no possibility of code execution from this vulnerability.
The Teredo interface provides transition support for TCP/IP version 6 networking when these systems are behind TCP/IP version 4 Network Address Translators (NATs). In the case of this vulnerability, when the Teredo interface is running, it can respond to anonymous requests to return the system's Teredo address or information about what services are running. For an attacker to exploit the vulnerability, the Teredo interface must be active. By default, the Teredo interface is not active when the network profile is set to "public". However, a user could activate the Teredo interface without realizing it by clicking on a specially formed link. In addition, some networking services such as Remote Assistance or Meeting Space will activate the Teredo interface by default.
While this is an information disclosure issue only, we encourage customers to apply this security update to their affected systems.
Finally, I want to share a reminder that we'll be holding our live webcast to address questions about this month's security bulletin with our subject matter experts on Wednesday, July 11, 2007, at 11 a.m. PDT. Mike Reavey and I will cover this month's release, then answer listeners' questions live on the air. If you can't participate in the live webcast, you can always listen to it later on-demand. You can register for it at this location.
The August 2007 monthly bulletin release is schedule for Tuesday Aug. 14. I'll be back then with information you can use for your assessment and deployment of that month's security updates.
This was first published in July 2007