Patch Tuesday Analysis for May 2007

OK, 7 patches for today and less you feel left out, there’s something for everyone; 3 for office, 1 for Exchange, 1 for IE, CAPICOM and DNS Servers each.

Workstation-centric patches
If you manage workstations, you’ll be interested in 5 of the patches.  Out of the 3 for Office only one of them is publicly disclosed and actively being used in attacks.  Unfortunately there’s no good workarounds for any of them, so you will either want to install just the public vulnerability patch ASAP and take your time testing the other 2 or try to save some time and reduce rollouts by batching all 3 together. 
The patch for IE affects all versions.  This security update patches 5 different holes in IE.  One of the hole’s exploit details are public (COM Object Instantiation Memory Corruption Vulnerability) but the good news is that there is also a good workaround for this particular hole – just set the kill bit on the affected ActiveX control.  Don’t ask me what this control (unable to obtain a good explanation) does but apparently it was never supposed to be instantiated by IE anyway so killing it is not supposed to cause problems. 

The CAPICOM vulnerability is not going to be an issue for most of you.  CAPICOM is a scripting interface to the Certificate APIs of Win32.  Some applications may include and install CAPICOM, especially those using certificates and/or private/public key encryption.  I recommend using MBSA or looking for the registry keys specified below to determine if your systems have CAPICOM installed.  There is a good workaround, again the kill bit, so consider using that instead of risking a bad patch deployment.

Server patches
Provided you refrain from using Office and IE on servers I think you only need to pay real attention to 2 vulnerabilities, 3 if you have BizTalk running.
The one for DNS is important but manageable.  It does NOT affect the DNS protocol – just the remote administration interface that uses RPC.  I provided a full discussion of this vulnerability some weeks ago when it was announced.  I suggest testing this fully before deploying since you should have already implemented the work around. 
If you are running BizTalk please analyze the CAPICOM vulnerability and determine your level of exposure.

Here’s the chart of bulletins directly below:

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS07-027

931768
Arbitrary code

/ IE
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Vista
Server 2003
5 Internet Explorer vulnerabilities. Only 1-2 have good workarounds. One is publicly disclosed but no attacks so farPatch ASAP after required testing
MS07-026

931832
Arbitrary code

/ Exchange
Exchange Servers
No/NoNoCritical Exchange 2000
Exchange 2007
Exchange 2003
4 Exchange vulnerabilities allow remote attackers to take over Exchange through emailed iCal files and other meansPatch ASAP after required testing
MS07-028

931906
Arbitrary code

BizTalk Servers
Systems with CAPICOM
No/NoYesCritical BizTalk Server 2004
CAPICOM
CAPICOM is a scripting interface to the Certificate APIs of Win32. Can block most likely attack vectors by setting the kill bit. Some applications may include and install CAPICOM, especially those using certificates and/or private/public key encryptionDetermine affected systems by looking for specified registry keys and patch or set the kill bit on ActiveX control.
MS07-024

934232
Arbitrary code

/ Office
Workstations
Terminal Servers
Yes/YesNoCritical Office 2000
Office XP
Office 2003
Office 2004 for Mac
Works 2005
Works 2004
Works 2006
3 Word vulnerabilitiesPatch ASAP
MS07-023

934233
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
3 Excel vulnerabilitiesPatch after normal testing
MS07-025

934873
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
1 vulnerability affecting Drawing ObjectsPatch after normal testing
MS07-029

935966
Arbitrary code

/ Windows
DNS Servers
Yes/YesYesCritical Server 2003
Server 2000
This is an easy hole to plug by disabling the RPC management interface. It does not affect the DNS protocol. Only remote management of DNS via RPC.You should have already implemented work around on affected servers. Install this update after testing monitoring community for problems by early adopters

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.