Patch Tuesday Analysis for August 2007

So 9 security bulletins this month.  All of them with the exception of MS07-049 impact workstations so unless you use Virtual Server, you server admins get off pretty easy this month.  Across all the vulnerabilities is a piece of good news: none of them are public yet – that’s right – no zero day exploits this month so you can take your time testing
Everyone should note this point however:   I don’t agree with the Important severity rating Microsoft assigned MS07-047, MS07-048 or MS07-049.  These should all be Critical since they allow arbitrary code.  Just because a setting isn’t turned on by default, or a user must click OK on a prompt, should not reduce severity. 
 
Some of the other good news is that many of the vulnerabilities this month can be mitigated by implementing a workaround instead of installing the update – and most via group policy at that!  There are a couple that require a command to be executed on the local computer to unregister a DLL or delete a registry key so you might think about configuring Startup scripts via group policy for those.

Be sure to check out the chart below.  It has many more additional facts and tips.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS07-043

921503
Arbitrary code

/ Windows, Visual Basic, Office for Mac
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Visual Basic 6.0
Office 2004 for Mac
Server 2003
OLE Automation. Known issue for Visual Basic developers (KB921503) and users of 3rd party developed VB apps (KB921503)Patch after testing. Check 3rd party apps. Developers, alert your users.
MS07-042

936227
Arbitrary code

/ Windows, XML Core Services
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Vista
Office 2003
Office 2007
Word Viewer
Comp. Pack for Office 2007
Office Sharepoint Server 2007
Server 2003
Server 2008
Expression Web
Groove Server 2007
XML Core Services may get installed by MS apps in addition to Windows. See KB269238Patch after testing
MS07-047

936782
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Vista
Server 2003
Windows Media Player skins. Known issue with .SWF Flash files (KB936782)Patch after testing or implement WMZ/WMD workaround
MS07-045

937143
Arbitrary code
Denial of service

/ Windows Internet Explorer
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Vista
Server 2003
Cumulative Update includes non-security fixes. Known issue in KB937143. Sets kill bits for several non-MS ActiveX controlsPatch after testing
MS07-049

937986
Arbitrary code

/ Virtual PC Virtual Server
Virtual PC
Virtual Servers
No/NoNoCritical Virtual PC 2004
Virtual Server 2005
Virtual PC for Mac 6.1
Virtual PC for Mac 7
None Install patch or upgrade to latest version
MS07-048

938123
Arbitrary code

/ Windows
Workstations
No/NoYesCritical Vista
Vista GadgetsPatch after testing or use one of the workarounds supported by group policy
MS07-050

938127
Arbitrary code

/ IE
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Vista
Server 2003
Disable Vector Markup LanguagePatch after testing or implement workaround
MS07-046

938829
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Server 2003
W2003 SP2 not affectedPatch after testing
MS07-044

940965
Arbitrary code

/ Office Excel
Workstations
Terminal Servers
No/NoYesCritical Office 2000
Office XP
Office 2003
Office 2004 for Mac
NonePatch after testing or use Office File Block policy workaround

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.