Microsoft issues further guidance on Exchange update

Microsoft's Christopher Budd explains vulnerabilities affecting Microsoft Exchange and other critical patch updates.

Exchange 2007 is following a new servicing model ... Security updates will require that you have the latest update rollup installed.
Christopher Budd,
security program managerMicrosoft Security Response Centre (MSRC)

With the May 2007 monthly security bulletin release, we are releasing a security update (MS07-029) for the Windows Domain Name System (DNS) Server vulnerability that we first discussed last month in Microsoft Security Advisory 935964. In addition to MS07-029, we are releasing six new security bulletins.

I will give you a brief overview of the circumstances around MS07-029. After that, I will cover important information about the other updates releasing this month to help you with your planning and deployment. Before that, though, I will highlight some Support Lifecycle dates to help with your planning.

Microsoft Support Lifecycle Update

Public security support for Windows Server 2003 SP0 (RTM) expired with the April 2007 security bulletin release. There is no longer public security support for Windows Server 2003 SP0 (RTM). Windows Server 2003 Service Pack 1 (SP1) and Windows Server 2003 Service Pack 2 (SP2) are the currently supported versions of Windows Server 2003, and we encourage all customers to be on one of these supported versions to ensure continued public security support.

Next, I want to note that Windows Server 2003 SP2 will be made available through Automatic Updates (AU) beginning June 12. If you use AU and have not installed Windows Server 2003 SP2 and do not want it installed automatically by AU, you should follow the Microsoft instructions made available.

At the end of April, a new version of Windows Server Update Services (WSUS) 3.0 was released. Support for Software Update Services (SUS) 1.0 will expire with the July 10 monthly security bulletin release. If you are a SUS 1.0 customer and have not yet migrated to WSUS, you may want to evaluate WSUS 3.0. There will be no support for deploying new security updates using SUS 1.0 after the July 10 release, so it's important that you complete your migration by that date to ensure no disruption of the delivery of security updates for your environment. You can get more information about WSUS 3.0 at the WSUS Web site.

Public security support for two SQL Server service packs will also end with the July 10 security bulletin release. SQL Server 2000 Service Pack 3a and SQL Server 2005 Service Pack (RTM) will be expired. We encourage customers on these versions to upgrade to SQL Server 2000 Service Pack 4 and SQL Server 2005 SP1 before the July 10, 2007, deadline.

As always, you can get more information on the Microsoft Support Lifecycle dates for your planning.


If you are a regular reader of the Microsoft Security Response Centre blog, then you're probably up to date with the latest information around the DNS vulnerability that MS07-029 addresses.

About Inside MSRC:
As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Centre (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Inside MSRC: Windows Vista security update explained

Inside MSRC: Microsoft explains security bulletins

Inside MSRC: Microsoft updates WSUSSCAN issue

We became aware of a limited attack targeting a new vulnerability in the Windows DNS Server on April 12, 2007. We initiated our Software Security Incident Response Process to investigate the issue and published Microsoft Security Advisory 935964 the following morning with workarounds customers could implement to protect against attempts to exploit the vulnerability while we worked on a security update. MS07-029 is the security update that resolves this issue. Throughout the life of the situation, we've been constantly monitoring and working with partners in the Microsoft Security Response Alliance to provide protections through security products such as antivirus, intrusion detection and intrusion prevention systems. Attacks remained limited throughout the life of the situation, and our teams and partners identified a total of five pieces of malicious software that attempted to exploit the vulnerability as of this writing. We believe the attacks were limited in part due to customers' deploying the workarounds that we recommended in the advisory.

Even though attacks remain limited, because they are active, we encourage customers to make this update their highest priority for testing and deployment. The security update will not undo any workarounds you may have deployed. This means that your deployment plan will need to include steps to remove the workarounds. If you have deployed the workarounds, you should keep those in place until you have deployed the security update and rebooted your system. At that point, you can go ahead and remove the workarounds you've implemented.


The next bulletin we encourage you to deploy with high priority in your environment is MS07-024. This bulletin addresses a vulnerability in Microsoft Word first discussed on Feb. 14, in Microsoft Security Advisory 933052. The vulnerability does not affect Word 2007 but does affect all other currently supported versions of Microsoft Word. Our initial investigation indicated this was subject to very limited and targeted attacks to Word. Our ongoing monitoring of the situation has indicated that the scope of attacks has remained limited throughout the life of the issue. Once again, although attacks have been very limited and targeted, we encourage you to test and deploy this with high priority.


MS07-026 is a bulletin for Microsoft Exchange that addresses a total of four vulnerabilities. Two of these vulnerabilities affect Exchange 2007. Because this is the first bulletin for Exchange 2007, I want to note a couple of things specific to Exchange 2007 to help with your planning and deployment.

First, Exchange 2007 is following a new servicing model. Among other things, this means that you should plan to regularly update your Exchange systems with the provided update rollups. Security updates will require that you have the latest update rollup installed.

The Exchange team has made more information available on this issue. Also note that Exchange 2007 is only supported on 64-bit systems. Although you can test Exchange 2007 on 32-bit systems, that is not a supported configuration.

Exchange 2007 on 64-bit systems is fully supported by Microsoft Baseline Security Analyser (MBSA) 2.0.1, WSUS 2.0 and WSUS 3.0, and Systems Management Server (SMS) 2003 Inventory Tool for Microsoft Updates (ITMU). There is no support for detection and deployment of security updates for Exchange 2007 on 32-bit systems.

Finally, I want to call your attention to the attack against MIME Decoding vulnerability — CVE-2007-0213 in this bulletin. Because this vulnerability could be exploited through processing a malformed e-mail, we encourage you to test and deploy this update with high priority.

MS07-023 and MS07-025

I want to call out a couple of things regarding MS07-023, our bulletin for Microsoft Excel. One of the vulnerabilities we're addressing in this bulletin affects Excel 2007. However, the vulnerability is in the processing of older Excel files -- it does not affect the handling of the new file formats. If you are using Excel 2007, one workaround you can put in place in your environment would be to block access to the older Excel file type. This is called out in the bulletin, but you can get more information about the Excel workaround.

As MS07-025 also affects Microsoft Office 2007, I wanted to note that for your detection and deployment planning, Office 2007 is fully supported by MBSA 2.0.1, WSUS 2.0 and WSUS 3.0, and SMS 2003 ITMU.

As we do each month, we'll be holding our regularly scheduled TechNet Security Bulletin webcast on Wednesday, May 9, 2007, at 11 a.m. Pacific Time. The TechNet webcast will be available for on-demand viewing.

In closing, remember that the June 2007 monthly bulletin release is scheduled for Tuesday, June 12. I'll join you in the June version of this column with important information to help with your testing and deployment of the June security updates.

Read more on Microsoft Windows software