Video Screencast Help
The Symantec Enterprise Security business is now part of Broadcom. Click here for more details.
Security Response

Microsoft Patch Tuesday: May 2007

Created: 08 May 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:49:42 GMT
Ben Greenbaum's picture
0 0 Votes
Login to vote

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft. Unless otherwise stated, all of thesemay allow an attacker to run their code at the privilege level of thecurrent user. IE7 is vulnerable to only four of them.

  • Microsoft Internet Explorer CHTSKDIC.DLL Arbitrary Code Execution Vulnerability
    BID 19529; CVE-2007-0942 & CVE-2006-4193 (Symantec Urgency Rating:8.5; MS Rating: Critical)
    This vulnerability was first published in August of last year, andaffects all versions of IE5.01 and IE6. IE7 on XP is not vulnerable bydefault, but can be made vulnerable by user configuration (allowing theaffected COM object via the ActiveX opt-in feature), and IE7 on Vistais not vulnerable at all.
  • Microsoft Internet Explorer DHTML Method Call Remote Code Execution Vulnerability
    BID 23771; CVE-2007-0944 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    This vulnerability is due to insecure handling of references to deleted or improperly-initialized DHTML objects.
  • Microsoft Internet Explorer Property Method Remote Code Execution Vulnerability
    BID 23769; CVE-2007-0945 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    This issue affects IE6 and IE7, and is caused by improper handling of malformed ‘property’ method calls.
  • Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability
    BID 23772; CVE-2007-0947 (Symantec Urgency Rating: 8.5; MS Rating: Important)
    When IE6 or IE7 (even on Vista) attempts to access a freed object inmemory, Bad Things can happen. As usual, Bad Things means remote codeexecution.
  • Microsoft Internet Explorer HTML Objects Script Errors Variant Remote Code Execution Vulnerability
    BID 23770; CVE-2007-0946 (Symantec Urgency Rating: 8.3; MS Rating: Important)
    This is a slight variant of the vulnerability described above, but affects only IE7, including IE7 on Vista.
  • Microsoft Windows Media Server MDSauth.DLL ActiveX Control Remote Code Execution Vulnerability
    BID 23827; CVE-2007-2221 (Symantec Urgency Rating: 7.8; MS Rating: Critical)
    This ActiveX control can be exploited as well, allowing attackers to run arbitrary code or crash the application.
  • Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability
    BID 21207; (Symantec Urgency Rating: 8.5; MS Rating:N/A)
    This vulnerability affects only specific Acer laptops (the TravelMate4150 and Aspire 5600) that have the default LunchApp.APlunch installed(version 1 only). The included ActiveX control marks several methods as‘safe for scripting’, including the ever-popular ‘run’ method, which ofcourse allows an attacker to specify any file for execution. This wasdisclosed in November of 2006, and an exploit is available publicly.While this is not a Microsoft product, due to the nature of thevulnerability they have set the kill bit for the relevant CLSID inconcert with Acer.
  • Research In Motion Blackberry ActiveX Control Unspecified Vulnerability
    BID 23331; (Symantec Urgency Rating: 7.1; MS Rating:N/A)
    This is another third-party ActiveX control. This one is vulnerable toa buffer overflow, and has also had the appropriate kill bit set inthis patch.


MS07-026; 931832 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution
This patch addresses four issues in Exchange Server. The mostsignificant of these can be exploited to run abitrary code in thesecurity context of Exchange.

  • Microsoft Exchange Base64 MIME Message Remote Code Execution Vulnerability
    BID 23809; CVE-2007-0213 (Symantec Urgency Rating: 8.2; MS Rating: Critical)
    Exchange Server 2000, 2003, and 2007 can all be made to executeattacker-supplied code when attempting to decode base64 MIMEattachments.
  • Microsoft Outlook Web Access Remote Script Injection Vulnerability
    BID 23806; CVE-2007-0220 (Symantec Urgency Rating: 7.8; MS Rating:Important)
    Outlook Web Access is prone to script injection attacks that couldallow unauthorized users to log in as valid users and access all OWAfunctionality on the targeted user’s email. This vulnerability occursin the code that handles UTF character set labels in inboundattachments.
  • Microsoft Exchange iCal Request Remote Denial of Service Vulnerability
    BID 23808; CVE-2007-0039 (Symantec Urgency Rating:7.1; MS Rating: Important)
    An Exchange server can be brought down by sending a malicious iCalrequest to any user on the system. The Microsoft Exchange InformationStore will need to be restarted in order to restore functionality.Exchange Server 2000, 2003 and 2007 are affected.
  • Microsoft Exchange IMAP Command Processing Remote Denial of Service Vulnerability
    BID 23810; CVE-2007-0221 (Symantec Urgency Rating: 7.1; MS Rating:Important)
    Exchange Server 2000 can be brought down by attackers who supply acurrently unspecified invalid IMAP command. The IIS Admin service wouldneed to be restarted in order to regain any mail server functionality.


MS07-028; 931906 Vulnerabilities in Capicom Could Allow Remote Code Execution

  • Microsoft Capicom ActiveX Control Remote Code Execution Vulnerability
    BID 23782; CVE-2007-0940 (Symantec Urgency Rating: 8.3;MS Rating: Critical)
    By supplying specially-crafted input to a currently unspecifiedparameter in the CAPICOM Certificates Class, an attacker can cause thisActiveX control to run arbitrary code at the privilege level of thecurrent user. The affected control shipped with all versions of BizTalkServer 2004; BizTalk 2000, 2002 and 2006 are not affected.


MS07-024; 934232 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
This release patches three vulnerabilities in MS Word (and Works, in one case).

  • Microsoft Word 2000/2002 Remote Code Execution Vulnerability
    BID 22567; CVE-2007-0870 (Symantec Urgency Rating: 8.5; MS Rating: Critical)
    Word 2000 and 2002 can be made to run attacker code via a hostileDocument Stream object. This vulnerability was previously disclosed inFebruary.
  • Microsoft Word Array Remote Code Execution Vulnerability
    BID 23804; CVE-2007-0035 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    Maliciously crafted arrays in Word documents can cause code of theattacker’s choice to run in the security context of the current user.Word 2000, 2002, 2003 and 2004 for Mac are affected, as well as the2003 viewer, and even Works 2004, 2005 and 2006.
  • Microsoft Word RTF Parsing Remote Code Execution Vulnerability
    BID 23836; CVE-2007-1202 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    The RTF format strikes again, this time in Word 2000, 2002, 2003 and2004 for Mac. Unspecified rich-text properties are mishandled in suchaway that a maliciously crafted file could include code that would beexecuted in the context of the current user.


MS07-023; 934233 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Each of these vulnerabilities offers attackers a different way toinclude code into an Excel file, which will run on vulnerable targetsystems when the file is opened. See the linked writeups and advisoryfor detailed affected version lists, but in general these affect allExcel versions 2000 and newer, with the exception of 2007, which isonly vulnerable to BID 23779.

  • Microsoft Excel BIFF record Remote Code Execution Vulnerability
    BID 23760; CVE-2007-0215 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
  • Microsoft Excel Set Font Remote Code Execution Vulnerability
    BID 23779; CVE-2007-1203 (Symantec Urgency Rating:7.1; MS Rating: Critical)
  • Microsoft Excel Filter Records Remote Code Execution Vulnerability
    BID 23780; CVE-2007-1214 (Symantec Urgency Rating: 7.1; MS Rating: Critical)


MS07-025; 934873 Vulnerability in Microsoft Office Could Allow Remote Code Execution

  • Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability
    BID 23826; CVE-2007-1747 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    Office 2000, 20003, 20004 for Mac, XP and 2007 are all prone to anerror in handling drawing objects. A hostile drawing object can beembedded into any Office-readable file format that will cause attackercode to run in the context of the current user.


MS07-029; 935966 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution

  • Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
    BID 23470; CVE-2007-1748 (Symantec Urgency Rating:;MS Rating:Critical)
    Flaws in the DNS RPC Interface can allow attackers to gain SYSTEMprivileges on affected computers. This issue affects Windows 2000Server, Windows Server 2003 and Small Business Server 2000 and 2003.This vulnerability was first discovered in April via observation oftargeted attacks, and has since been exploited in the wild with limitedsuccess by a few Rinbot variants.


And that.... wraps it up for this week! Happy patching, and see you next month.