Inside MSRC: Windows Vista security update explained

Microsoft's Christopher Budd details the first Windows Vista security updates.


The April 2007 monthly security bulletin release is our first regularly monthly release since February 2007. Since the last bulletin release, we issued MS07-017 one week early as an out-of-band release to help protect customers, and released five new security updates as part of our regular monthly release process.

In this month's column, I'll discuss information about MS07-017 as well as the five April updates. And since this is the first bulletin release to cover Windows Vista, I'll focus this month on information you'll need to know about the new operating system. I'll close with a final update for you on the WSUSSCAN.CAB issue.

MS07-017

MS07-017 addresses seven vulnerabilities in Microsoft Windows. The most noteworthy of these vulnerabilities is the Windows Animated Cursor Remote Code Execution Vulnerability (CVE-2007-0038). On March 28 we learned through a Microsoft Security Response Alliance (MSRA) partner that this vulnerability was being used in an attack. We mobilized our Software Security Incident Response Process (SSIRP) as soon as we got the report and worked through the night to investigate and publish Microsoft Security Advisory 935423.

This vulnerability had been responsibly reported to us by a security researcher in late December 2006 and had been under investigation with a security update under development. At the time of the attack, that update was planned for release as part of our April 2007 monthly security bulletin release. The update under development addressed this vulnerability as well as six other vulnerabilities.

About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Inside MSRC: Microsoft explains security bulletins

Inside MSRC: Microsoft updates WSUSSCAN issue

Inside MSRC: Visual Studio flaw, tool extensions explained

Based on the risk to customers from the attack, we evaluated our options and determined that the best way to protect customers was to expedite the final testing of the planned update and release it early. We worked on final testing through the weekend to ensure the security update met the level of quality appropriate to be released out of band on Tuesday April 3. Sunday evening, April 1, we posted a special edition of the Microsoft advance notification and noted on the MSRC blog that we would be releasing the update for this issue early.

The pre-release testing uncovered one known issue affecting Windows XP SP2 users with the RealTek Audio control panel. As we do as part of our regular process, we documented this issue in the Master Knowledge Base article referenced in the Caveats section of the security bulletin. For MS07-017, this is Microsoft Knowledge Base Article 925902. Specifically, a hotfix available through Microsoft Knowledge Base Article 935448resolves this issue.

Since the release, we have learned of three other applications that have issues after the update for MS07-017 is applied. The hotfix associated with Microsoft Knowledge Base Article 935448 addresses these issues.

Based on customer feedback, as part of the April monthly release we've released this hotfix through Windows Update (WU), Microsoft Update (MU) and Automatic Updates (AU) to deliver the hotfix automatically as a High Priority Non-Security update. Only customers with the security update for MS07-017 and any of these four applications will receive the update. Windows Server Update Services (WSUS) and Software Update Services (SUS) customers can approve the hotfix to have it installed on systems with the security update for MS07-017 and any of these four applications.

Because this is a hotfix and not a security update, the Microsoft Baseline Security Analyzer (MBSA) and Systems Management Server (SMS) security update tools will not automatically identify or deploy it. However, SMS customers can build custom detection and deployment packages, and all customers can identify if the hotfix is installed using the information in the Knowledge Base article.

Windows Vista and the April 2007 security updates

We have also released our first security updates for Windows Vista. Since this is the first month for updates for the new operating system, I wanted to help you understand how this month's updates apply to Windows Vista.

Two of the five bulletins for Windows in April 2007 apply to Windows Vista: MS07-017 and MS07-021. The other three bulletins that apply to Windows — MS07-019, MS07-020 and MS07-022 — do not apply to Windows Vista at all. Of the seven vulnerabilities discussed in MS07-017, only two of the issues apply to Windows Vista.

Windows Vista and detection and deployment tools

I have briefly discussed in previous columns some of our support for Windows Vista with our detection and deployment tools. I wanted to review this information and cover how all our detection and deployment tools provide support for Windows Vista.

Windows Update, Microsoft Update, Automatic Updates

Windows Update (WU), Microsoft Update (MU) and Automatic Updates (AU) fully support Windows Vista in the same way they support Windows XP. By default, Windows Vista will utilize Windows Update for Automatic Updates for its updates, just like Windows XP SP2. We strongly recommend that you opt-in for Microsoft Update either by clicking the "Get updates for more products" in the Windows Update control panel or by going to the Microsoft Update Site. Also, I want to note that both Microsoft Office 2007 and Windows Live OneCare will offer to enable your system for Microsoft Update. Using Microsoft Update will give you broader protections by providing updates for applications such as Microsoft Office in addition to those updates you would get through Windows Update.

There are some small changes to the Windows Update client in Windows Vista. Specifically, the Windows Update client is now located as an applet in the Control Panel and security updates appear under the Important category.

Windows Server Update Services and Windows Software Update Services

Windows Server Update Services (WSUS) fully supports Windows Vista just as it does Windows XP SP2. WSUS also provides the same updates as Microsoft Update, so if you run a small or medium-sized organization, we strongly encourage you to consider putting WSUS in place. Software Update Services (SUS) does not support Windows Vista. Also, SUS is nearing the end of support, so if you're a SUS customer evaluating Windows Vista, you should include an upgrade to WSUS as part of your planning.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) will provide full support for Windows Vista with upcoming version 2.1, which is in beta testing. MBSA 2.1 beta is available today from the MBSA site and fully supports this month's updates for Windows Vista.

If you are an MBSA 2.0.1 customer, you can use MBSA 2.0.1 to scan Windows Vista systems remotely for this month's updates. MBSA 1.2.1 does not provide any support for Windows Vista. If you are an MBSA 1.2.1 customer evaluating Windows Vista, you should include an upgrade to MBSA 2.1 as part of your planning. You can check the Microsoft Knowledge Base article 931943 for information on MBSA support for Windows Vista. Systems Management Server Systems Management Server (SMS) provides support for Windows Vista through SMS 2003 Inventory Tool for Microsoft Updates (ITMU) version 3, which was released in November 2006. If you are an SMS ITMU customer, you already should be running version 3 to support the new WSUSSCAN.CAB format. Earlier versions of the SMS ITMU and the SMS Security Update Inventory Tool do not provide support for Windows Vista. If you use SMS and are evaluating Windows Vista, you should include SMS 2003 ITMU version 3 as part of your planning.

Final Update on WSUSSCAN.CAB

In this column, I've been keeping you updated on the situation with the WSUSSCAN.CAB and alerting you to the impending end of support for the old legacy WSUSSCAN.CAB and the impact of that on our detection and deployment tools. I have a final update. As a reminder, the changes to the architecture of the WSUSSCAN.CAB to move to the WSUSSCN2.CAB file mean that anyone using MBSA 2.0 in offline-scan mode needs to use MBSA 2.0.1 and anyone using SMS ITMU needs to use SMS ITMU version 3. These tools needed to be updated to support the new architecture. You can get more information on the new WSUSSCN2.CAB file in the Microsoft Knowledge Base article 926464.

The February 2007 release was the last release with support for the legacy WSUSSCAN.CAB. There is no support in the April releases for the legacy WSUSSCAN.CAB. This means that if you are using the tools I mentioned and haven't updated to the latest versions, those tools will not help provide protection for the bulletins released today.

Conclusion

In closing, I want to remind you that we'll be discussing all of April's bulletins during our regularly scheduled April 2007 TechNet security bulletin webcast.

Our May 2007 monthly security bulletin release is scheduled for Tuesday May 8, and the May 2007 advance notification will be posted the Thursday before, on May 3, 2007. I'll join you once again in this space next month with important information to help you plan for and deploy any updates we release in May.

Read more on Operating systems software