Ultimate Windows Security Newsletter:

When you look at the first bulletin in today’s summary, don’t be surprised if you feel a little déjà vu.  It is indeed the same bulletin as was released last week; Microsoft sensibly included it in today’s summary.  The only thing that’s changed from my comments published last week is that Microsoft has identified 3 more applications with compatibility problems with MS07-017/925902.  In addition to Realtek HD Audio Control Panel you may also run into problems with ElsterFormular, TUGZip and CD-Tag.  KB 925902 provides regularly updated information on these “known issues” as well as a hotfix to solve the problem if you are encountering it. 

Now, on to the other 5 bulletins released today, but first a word from the company that makes today’s update possible…

“Download ELM Event Log Monitor NOW and experience for yourself why TNT Software is the recognized leader in real-time event log Monitoring, Alerting, Reporting and Archiving solutions. Within an hour you can: be notified at your desktop as Errors are written on critical servers, collect data for built-in security reports, and create an archive database to support compliance mandates.
 
While all but one of the bulletins are rated as critical, the only bulletin currently being exploited in attacks is MS07-017 which came out last week; MS07-021 is the only other bulletin with exploit details already public.  I would give these 2 bulletins my first priority.  Then I’d focus on MS07-019 which has 2 good workarounds.  All 3 of these are primarily workstation vulnerabilities.
If you maintain your website with Microsoft Content Management Server, I recommend testing deploying MS07-018 as soon as possible because, pay attention here, it’s a risk to the people (customers?) who use your site.  Yeah, the flaw is in CMS but the risk is to the people who visit the CMS maintained web-site…

I know what you are thinking and the answer is “No, Patch Tuesday didn’t come early this month.  You have more patches to look forward to next month.”  Let’s see if I can sum up what led up to this out of band patch:  Microsoft has been working on this animated cursor issue since December of last year having been informed privately of the vulnerability by Determina.  Apparently the same hole was found separately by party or parties unknown and subsequently used in a limited attack on at least one Symantec customer.  Symantec informed Microsoft on March 28, 2007 which prompted Microsoft to issue the advisory you received the next day on Thursday.  After that, a proof-of-concept code sample was released publicly and the incident of attacks using the vulnerability increased causing Microsoft to schedule this out of band patch. 

This patch actually addresses 7 different vulnerabilities but the one to focus on is “Windows Animated Cursor Remote Code Execution” which allows remote, arbitrary code to run on the targeted system if the attacker can get the targeted user to visit a specially crafted web page or email.  This applies to viewing web pages, previewing or opening email messages, opening email attachments.  Blocking .ani files doesn’t protect you.  Using IE7 in protected mode and Outlook 2007 configured with the default viewer setting (Word), blocks the most common attack vectors.
 
This patch is pretty much a Workstation and end-user accessible Terminal Services issue as long as your admins refrain from web browsing and emailing from servers. 

Because of the rise in attacks and the lack of any comprehensive workarounds, I suggest deploying this patch to workstations ASAP with abbreviated testing.  Make sure you monitor KB article 925902 for any “known issues” (aka problems) with this patch.  Currently there is only one such issue that affects computers with the Realtek HD Audio Control Panel and there is a hotfix for that issue. 

Best wishes with this patch and hang in there until next week…

Learn the Windows Security Log in 6 hours from your computer.  Click here for Randy’s Security Log Secrets Interactive Edition training course.