What a difference a month makes. Last month, Microsoft said it had no security fixes. This month, it’s releasing five security bulletins, four of which are rated as “critical.”
Notably absent from today’s fixes was anything for Office, even though there is at least one outstanding Word vulnerability, CVE-2007-0870, which has been around since February.
And late Tuesday afternoon McAfee’s Avert Labs reported it had found a new zero-day exploit affecting Office. It follows a typical timing pattern of releasing exploits for non-patched vulnerabilities immediately after Patch Tuesday, so as to maximize exposure.
Four of the five bulletins Microsoft announced are in the Windows operating systems, and three of the four are listed as “critical,” the highest level of urgency. Of the four Windows bulletins, two involve Vista.
The fifth bulletin was for Microsoft’s Content Management Service, which is built on .Net technology. In a rare instance of pro-active agreement with Microsoft, McAfee and other security vendors urged users today to patch their systems as soon as possible. Often the companies let the Patch Day notices go without comment.
“Of particular concern are CVE-2007-0938, the Microsoft Content Management Service Remote Code Execution Vulnerability of MS07-018 and MS07-021, and the MsgBox (CSRSS) Remote Code Execution Vulnerability,” said David Marcus, security research and communications manager, McAfee Avert Labs in a statement.
“Both of these can result in remote code execution on affected systems. Combined with the popularity of browser or Web-based attack vectors, these vulnerabilities can be particularly dangerous. Consumers and enterprises should take these vulnerabilities very seriously and employ a risk-based management approach to make sure they are properly protected.”
Marcus added that due to the severity of these software holes, administrators need to keep their security measures up to speed while testing the patches, since patches themselves can often cause problems. A recent fix for a flaw in Microsoft’s animated cursors ended up causing some compatibility problems.
“Home users will auto download and install a patch right away. Enterprises will download a patch into a testing environment, test them against their systems for a period of time to make sure it doesn’t crash anything. The standard time for testing on that is 96 hours, with some going as high as 120. In that time, you remain vulnerable and need to have the right protections in place,” he told internetnews.com.
Paul Zimski, director of product and market strategy at security advisor PatchLink, told internetnews.com in an e-mail statement: “The overall effect of the five critical patches released is a lot for organizations to deal with – not because of the total number of patches but rather because they represent a broad spectrum of exposure (remote, local and client side) as well as avenues of attack: insider threats, targeted phishing (spearphishing), and network born remote OS attacks.”
All of the critical fixes relate to remote code execution, which is oftentimes used to install botnets and malware
As part of the monthly update cycle, Microsoft has added new detection signatures to its Malicious Software Removal Toolkit. This month it adds recognition of the Win32/Funner worm
All of the updates are available through Windows Update or can be manually downloaded from Microsoft.
A webcast will be held on Wednesday at 11 am PST to discuss the fixes.