Inside MSRC: Microsoft updates WSUSSCAN issue

To help you better understand some of the things you need to know about this month's release, I'll first update you on the status of the WSUSSCAN.CAB issue, help you understand how our detection and deployment tools relate to our recently released products, and then provide some information about MS07-001 so you can better understand what systems are vulnerable.

Update: WSUSSCAN.CAB

In the December 2006 column I noted that for the January 2007 release we could have been forced to remove information about security updates that were older but still current. I'm happy to note that the information we removed for the December 2006 release provided enough space for information for the January 2007 release. This means that we have not removed any information from the legacy WSUSSCAN.CAB for January 2007. However, we do think we will need to remove information about current security updates for the February 2007 release.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Visual Studio flaw, tool extensions explained Inside MSRC: Microsoft details security tool update

As a reminder, we will be providing support for the legacy WSUSSCAN.CAB for the February 2007 and March 2007 releases. After the March 2007 release, no new versions of the WSUSSCAN.CAB will be posted.

We strongly encourage the deployment of the updated versions of the Systems Management Server Inventory Tool for Microsoft Updates (SMS ITMU v3) or Microsoft Baseline Security Analyzer (MBSA) 2.0.1, if you use it in offline-scan mode. These updated versions use the new architecture and previous versions will no longer be effective after the March 2007 release.

With the end of support for the legacy WSUSSCAN.CAB fast approaching and the chance that we will be forced to remove information about older but still current security updates for the February release, it's increasingly important for customers to deploy the updated versions as soon as possible.

Detection and Deployment Tools

This season we've seen a number of major new products released: Windows Internet Explorer 7 (IE 7), the 2007 Microsoft Office system and, of course, the Windows Vista operating system. Even though this month doesn't have any updates for these products, as these new products have been released, we've started getting questions from customers about our support for the products through our detection and deployment tools. So, to help with your planning, I will give you an overview of how these new versions relate to our detection and deployment tools.

Microsoft Update (MU) and Windows Server Update Services (WSUS) provide full support for all three new products. So if you're directing your users to MU or are using WSUS in your environment, you already have support for these new products.

With SMS there are some differences in support based on the version of the detection engine. The SUS feature pack that can be used with both SMS 2.0 and SMS 2003 provides support for current versions of Office, and will also support the 2007 Office release. The SUS feature pack doesn't provide detection support for Windows Vista or Internet Explorer 7. The latest version of the SMS ITMU that can be used with SMS 2003 (released in November 2006) also supports IE 7, in addition to providing support for the 2007 Office release and Windows Vista. Because the SUS feature pack is the only detection engine available for SMS 2.0, if you're planning on introducing Windows Vista-based systems into your environment and you're running SMS 2.0, you should consider upgrading your SMS infrastructure to SMS 2003 so you can support the newest version of the SMS ITMU. This, in addition to the support for the new WSUSSCAN.CAB, is an excellent reason to upgrade to the latest version.

MBSA 1.2.1 provides support through the Office Detection Tool (ODT) for local detection for 2007 Office release updates. However MBSA 1.2.1 does not provide support for Windows Vista or IE 7.

MBSA 2.0.1 provides full support for IE 7 and the 2007 Office release. However, it only provides support for the remote scanning of Windows Vista systems with some limitations, including support only for offline security update scans from Microsoft Update. Full support for Windows Vista within MBSA will be provided by the upcoming MBSA 2.1. We intend to have a beta version of MBSA 2.1 available in the next few months and a full release hopefully sometime around summer 2007. So, if you're an MBSA user and have the 2007 Office release or Windows Vista systems in your environment, you'll need to scan these systems from a non-Windows Vista machine for the short term, and should plan to upgrade to MBSA 2.1 when it's released.

MS07-001

I want to briefly note the scope of affected systems related to MS07-001. The vulnerability addressed by this bulletin is a in the Office 2003 Brazilian Portuguese Grammar Checker, so for a system to be vulnerable, it must have the Office 2003 Brazilian Portuguese Grammar Checker installed. This means that the systems which are vulnerable will be those with the Brazilian Portuguese-localized version of Office 2003 installed, those with Brazilian Portuguese installed as part of the Office 2003 Multilingual User Interface, and those that have installed Brazilian Portuguese Language Proofing tools as part of Office 2003.

As always, the easiest way to identify systems to which this update applies is to use Microsoft detection and deployment tools: MBSA, MU, WSUS and SMS 2003 with the ITMU.

Conclusion

I hope this bulletin has been helpful for your analysis and planning. Another helpful resource is our TechNet Security webcast. Each month we do this webcast on the day after the security bulletin is released to go over the bulletins. This month's webcast will be on Wednesday, Jan. 10, 2007, at 11 a.m. PST. During the live webcast broadcast, we'll answer your questions on the air and review information about the month's bulletins. If you can't catch the webcast live, you can always view it on demand. Register for the webcast.

Last, I want to remind you that the February 2007 monthly release will be on Tuesday Feb. 13, 2007. To help you with planning, our regular pre-release information will be posted on the previous Thursday, Feb. 8, 2007, at our advance page.

Finally, we'll post the February column here on the SearchSecurity site, along with information to aid you with analysis and planning.