Microsoft starts the year with 4 security updates: Details and recommendations

Introduction

Much to the relief of the system administrators Microsoft decided to release only four security updates. The bad news is that Microsoft probably axed some of the critical  updates affecting Enterprise applications. Hopefully Microsoft will release those in the coming months.

Details

Bulletin MS07-001: This update resolves a newly discovered, publicly reported vulnerability.
Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution - CVE-2005-5574: This is still in the candidacy stage with the CVE. An attacker who successfully exploited this vulnerability could take complete control of an affected system. A remote code execution vulnerability exists in Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit this vulnerability when Office opens a file and parses the text. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Mitigating factors: The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message or reply to an e-mail if Word is being used as the e-mail editor.

My Recommendation: Don't bother with this update if you don't have a multilingual environment.

Bulletin MS07-002: This update resolves several newly discovered, privately reported vulnerabilities. There are totally five vulnerabilities that are fixed in this update the maximum severity of which is Critical.
    
Excel Malformed IMDATA Record Vulnerability - CVE-2007-0027: A remote code execution vulnerability exists in Microsoft Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed IMDATA record. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Excel Malformed Record Vulnerability - CVE-2007-0028: A remote code execution vulnerability exists in Microsoft Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed record. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
    
Excel Malformed String Vulnerability - CVE-2007-0029: A remote code execution vulnerability exists in Microsoft Excel that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Excel Malformed Column Record Vulnerability - CVE-2007-0030: A remote code execution vulnerability exists in Microsoft Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed Column record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Excel Malformed Palette Record Vulnerability - CVE-2007-0031: A remote code execution vulnerability exists in Microsoft Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed Palette record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Mitigating factors:

1. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e- mail message.
2. Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003.

My Recommendation: If you have not upgraded your environment to Office 2007 yet (as I expect it to be) you should apply this update immediately (Unless you are the unlikely ones who use Openoffice.org)

Bulletin MS07-003: This update addresses several newly discovered, privately and publicly reported vulnerabilities. When using vulnerable versions of Office, if a user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update addresses three security vulnerabilities.

Microsoft Outlook VEVENT Vulnerability - CVE-2007-0033: A remote code execution vulnerability exists in Microsoft Outlook. An attacker could exploit this vulnerability when Outlook parses a file and processes a malformed VEVENT record. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
   
Microsoft Outlook Denial of Service Vulnerability – CVE-2006-1305: A denial of service vulnerability exists in Outlook in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a malformed e-mail to a user of Outlook that would cause the Outlook client to fail under certain circumstances. The Outlook client would continue to fail so long as the malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook client would again function normally.

Microsoft Outlook Advanced Find Vulnerability - CVE-2007-0034: A remote code execution vulnerability exists in Microsoft Outlook. An attacker could exploit this vulnerability when Outlook parses an .oss file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Mitigating factors:
For CVE-2007-0033: MAPI is not a valid attack vector for this issue due to Exchange's handling of iCal calendar data embedded in messages or in .ICS attachments.
For CVE-2006-1305:

• The vulnerability is a denial of service vulnerability only. The attacker would not be able to access the user's e-mail or system in any way. The vulnerability could not be used to read, delete, create, or alter the user's e-mail.
• If an attacker was able to send a malformed e-mail that successfully exploited this vulnerability, the malformed e-mail could be deleted either by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express. Once the specially malformed e-mail has been removed, normal  operation would resume.

For CVE-2007-0034: The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.

My Recommendation: I would recommend that you apply this security update immediately.

Bulletin MS07-004: This update resolves a public vulnerability as well as additional issues discovered through internal investigations. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

VML Buffer Overrun Vulnerability - CVE-2007-0024: A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating factors:

1. In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a  link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.
2. In an e-mail based attack of this exploit, customers who read e-mail using Outlook Express on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, are at less risk from this vulnerability because Binary and Script Behaviors is disabled by default in the Restricted sites zone.

My Recommendation: I would recommend that you apply this security update immediately.