Microsoft Patch Tuesday: January 2007
Welcome to 2007! Before we get started, I'd like to wish you all a happy, healthy, and safe year from the DeepSight research teams here at Symantec. May all your plans come to fruition, and may all your patches apply smoothly... This month's patch release by Microsoft is a little lighter than previous releases, and lighter even than initially projected by Microsoft themselves. On January 4th, as per their usual policy, they publicly released high-level details of the planned release. The initial advance notification mentioned eight patches. However, the notification was later modified to list only four releases. Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite.
This patch addresses one vulnerability, which affects the Brazilian Grammar Checker in Office 2003.
- Microsoft Office Brazilian Portuguese Grammar Checker Remote Code Execution Vulnerability
BID 21942; CVE-2006-5574 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
A buffer overflow in the Portuguese Grammar Checker functionality could allow attackers to gain control over affected systems via malformed .DOC files. Users who do not have Brazilian Portuguese support installed will not be affected even when opening a malicious document.
This patch covers five vulnerabilities in Excel and also replaces MS06-059 released in October. Excel versions 2000, 2002, 2003, and 2004, and X for Mac are affected, as well as Excel Viewer 2003. All five vulnerabilities are buffer overflow issues that can allow hostile spreadsheets to execute arbitrary, attacker-supplied code on the target system at the privilege level of the current user. As they are all very similar, I won't go into great detail here. If more information is desired, please refer to the vulnerability listing (by clicking on the BID number) or the Microsoft bulletin.
- Microsoft Excel Malformed Record Remote Code Execution Vulnerability
BID 21952; CVE-2007-0028 (Symantec Urgency Rating: 7.4/10; MS Rating: Critical)
- Microsoft Excel IMDATA Record Remote Code Execution Vulnerability
BID 21856; CVE-2007-0027 (Symantec Urgency Rating: 7.4/10; MS Rating: Critical) This vulnerability does not affect Office 2003.
- Microsoft Excel Malformed Column Record Remote Code Execution Vulnerability
BID 21925; CVE-2007-0030 (Symantec Urgency Rating: 7.4/10; MS Rating: Critical)
- Microsoft Excel Malformed String Remote Code Execution Vulnerability
BID 21877; CVE-2007-0029 (Symantec Urgency Rating: 7.4/10; MS Rating: Critical)
- Microsoft Excel Malformed Palette Record Remote Code Execution Vulnerability
BID 21922; CVE-2007-0031 (Symantec Urgency Rating: 7.4/10; MS Rating: Critical)
This patch addresses three distinct vulnerabilities in Outlook 2000, 2002, and 2003. This patch also replaces the previously issued MS06-003 from January of last year for all three products.
- Microsoft Outlook Denial of Service Vulnerability
BID 21937; CVE-2006-1305 (Symantec Urgency Rating: 6.1/10; MS Rating: Moderate)
Due to this vulnerability, maliciously crafted email headers can cause Outlook to crash. On each restart, Outlook will crash again, until the hostile email is removed from the mailserver.
- Microsoft Outlook Advanced Find Remote Code Execution Vulnerability
BID 21936; CVE-2007-0034 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)
Outlook's processing of Office Saved Searches can be caused to execute attacker-supplied code when processing a hostile .OSS file. The .OSS file would have to be attached to an incoming email, and the user would have to open it manually in order for exploitation to be successful. There is typically no reason for external parties to send these files. If this holds true for your organization, blocking this extension at the perimeter would be a quick fix until patch deployment is complete.
- Microsoft Outlook VEVENT Record Remote Code Execution Vulnerability
BID 21931; CVE-2007-0033 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
Hostile iCalendar requests can also result in attacker-supplied code executing on the target system via maliciously constructed VEVENT data. The availability of external iCalendar files (.ICS) may be more important to your organization than .OSS files. If not, blocking them may be a good idea as well until patches are deployed. However, as the request can also be embedded in the email body this is not as effective a solution. Microsoft has also provided detailed workaround steps that will reduce the functionality of calendar requests but will prevent exploitation of this issue. For more details, please see the bulletin. Unlike the other issues covered by KB925938, this vulnerability affects Outlook 2002 and 2003 only.
This update replaces MS06-055 for Windows 2000 Service Pack 4 with Internet Explorer 6 Service Pack 1 Installed, Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. However, Windows 2000 SP4 machines without IE6SP1 are not affected. MS06-055 was originally released in September to correct a very similar vulnerability (BID 20096).
- Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
BID 21930; CVE-2007-0024 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)
This buffer overflow in VML processing on IE 5.01, IE 5.5, and IE 6.0 can be exploited via HTML content in either Web pages or emails. Microsoft has provided detailed workaround steps that can significantly decrease the chances of exploitation. Please see the MS bulletin for more details.
And that's it! For this month anyway… We'll see each other again in February.