Inside MSRC: Microsoft security matters on MOICE and Outlook flaws

Microsoft's Christopher Budd outlines the finer points behind this month's security bulletins and gives an update on the new bulletin layout.

Administrators should be aware of changes to the security bulletin and advanced notification. In addition, we've released two security advisories in the past month -- an update to the Windows installer and the Microsoft Office Isolated Conversion Environment (MOICE). As I do each month, I'll cover this important information in more detail to help with your risk assessment, planning and deployment for the security updates.

New Advanced Notification Service (ANS) and Security Bulletin Design Changes

Changes were made to the Advanced Notification Service (ANS) and the format of our security bulletins for the June release. You may have read about these changes in the MSRC weblog post on May 16, 2007

The ANS is the information we provide on the Thursday before the monthly bulletin release on the second Tuesday of the month. Based on customer requests, we have provided this information to assist customers with their advanced planning for the monthly release. The goal is to provide enough information to assist with planning while not increasing customer risk.

The original ANS provided information that was aggregated by high-level product family (e.g., Microsoft Windows, Microsoft Office). Under the new ANS, we're providing the same information about the upcoming security updates, but now we provide it for each individual bulletin that will be released rather than aggregating it by high-level product family. We believe that this change provides more granular detail to better help with planning without presenting an unacceptable risk to customers. As with the original ANS, this information is subject to change until the release of the actual bulletin on the second Tuesday of the month.

The new security bulletin design is the product of ongoing work with customers to make the security bulletins easier to use. We've made many changes to the format, but the most important points to note are that we've moved content to make it easier to find, information is clearer, and we've eliminated repetition of information where possible.

About Inside MSRC:

As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Microsoft issues further guidance on Exchange update
Microsoft's Christopher Budd explains vulnerabilities affecting Microsoft Exchange and other critical patch updates

Inside MSRC: Windows Vista security update explained
Microsoft's Christopher Budd details the first Windows Vista security updates

Inside MSRC: Microsoft explains security bulletins
Microsoft issued 12 new security bulletins in February. Christopher Budd of the Microsoft Security Response Center provides information about the most important fixes

Microsoft Security Advisory (927891) and Microsoft Security Advisory (937696)

Since the May release, we have released two security advisories to let you know about important security-related releases and information. While we often use security advisories to inform customers about security incidents, we also use them to advise customers about important information that may relate to their overall security. We believe you should review these two advisories to learn about nonsecurity updates and information that may be important to your overall security.

The first advisory, Microsoft Security Advisory (927891), is to let you know about an update to the Windows Installer. This update addresses issues some customers have had when applying updates from Windows Update, Microsoft Update and Automatic Updates. Because this can affect your ability to apply security updates as well as nonsecurity updates, we recommend that you review this advisory and take the appropriate action for your environment.

The second advisory, Microsoft Security Advisory (937696), is to let you know about the Microsoft Office Isolated Conversion Environment (MOICE) and the ability to restrict opening or saving types of files in Microsoft Office 2003 and the 2007 Microsoft Office system (sometimes called "file block"). These two tools can be used together to make it easier to protect from Microsoft Office files that may contain malicious software, such as unsolicited Microsoft Office files received from unknown or known sources. Because of this, we encourage you to review the advisory and evaluate these tools for your environment, especially if you are running Office 2003.

More details can be found on our May 22 MSRC blog posting and in the advisories themselves.

Detection and Deployment Tool Deadlines

There are two very important deadlines that relate to our detection and deployment tools.

The June 2007 release marks the extended deadline for support for Software Update Services (SUS) 1.0. After this release, no further updates will be made available through SUS 1.0. If you're a SUS 1.0 customer and have not already upgraded to Windows Server Updates Services (WSUS) 2.0 or the new WSUS 3.0, we strongly encourage you to do so right away. You can get more information WSUS.

Also, our support for Microsoft Security Baseline Analyzer (MBSA) 1.2.1 will end Oct. 9, 2007. All customers are encouraged to upgrade to MBSA 2.0.1, the latest version of MBSA. For customers using legacy products that are not supported by MBSA 2.0.1, Shavlik Technologies provides a free MBSA 2.0.1 companion tool called Shavlik NetChk Limited. You can get more information about MBSA 2.0.1 and information about Shavlik NetChk Limited.


MS07-031 addresses a vulnerability in the Secure Channel (Schannel) security package in Windows. Schannel implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for Windows. These are best known for use with secure Web sites that use HTTPS.

This is a code execution vulnerability in the operating system's security context (LocalSystem) on Windows XP Service Pack 2. For Windows 2000 and Windows Server 2003, this is a denial of service vulnerability that could cause the system to stop accepting SSL/TLS connection until the system is restarted. In the case of Windows Server 2003, it could instead cause the system to restart. Windows Vista is not affected by this vulnerability. Any attempt to exploit the vulnerability would require convincing the user to navigate to a malicious Web site.

This vulnerability was responsibly reported to us; however, there are no workarounds for it. Also, in the case of this particular vulnerability on Windows Server 2003, the Enhanced Security Configuration does not mitigate attempts to exploit this vulnerability. In light of these facts and the importance of SSL/TLS, we encourage all customers to prioritize this security update for deployment.


MS07-034 addresses information disclosure vulnerabilities in Outlook Express 6 and Windows Mail and a code execution vulnerability in Windows Mail.

The code execution vulnerability in Windows Mail was publicly disclosed with proof-of-concept code in March 2007. The original public discussion around the vulnerability indicated that user interaction was required in any attempt to exploit the vulnerability; however, our security teams' internal research showed that in very specific, nondefault scenarios there is a possibility of this vulnerability being exploited without user interaction. Because we are conservative in our severity rating, we have rated this issue as Critical. Because we have not identified any workarounds for this particular vulnerability, we encourage you to prioritize this security update for deployment.


We'll be holding this month's regularly scheduled TechNet Security Bulletin webcast on Wednesday, June 13 at 11 a.m. Pacific Time. It will also be available for on-demand viewing.

In closing, I'd like to remind you that the July 2007 monthly bulletin release is scheduled for Tuesday, July 10, 2007. I'll be back then with information you can use for your assessment and deployment of the July security updates.

Read more on IT risk management