Patch Analysis for April 2007

When you look at the first bulletin in today’s summary, don’t be surprised if you feel a little déjà vu.  It is indeed the same bulletin as was released last week; Microsoft sensibly included it in today’s summary.  The only thing that’s changed from my comments published last week is that Microsoft has identified 3 more applications with compatibility problems with MS07-017/925902.  In addition to Realtek HD Audio Control Panel you may also run into problems with ElsterFormular, TUGZip and CD-Tag.  KB 925902 provides regularly updated information on these “known issues” as well as a hotfix to solve the problem if you are encountering it. 

Now, on to the other 5 bulletins released today.

While all but one of the bulletins are rated as critical, the only bulletin currently being exploited in attacks is MS07-017 which came out last week; MS07-021 is the only other bulletin with exploit details already public.  I would give these 2 bulletins my first priority.  Then I’d focus on MS07-019 which has 2 good workarounds.  All 3 of these are primarily workstation vulnerabilities.
If you maintain your website with Microsoft Content Management Server, I recommend testing deploying MS07-018 as soon as possible because, pay attention here, it’s a risk to the people (customers?) who use your site.  Yeah, the flaw is in CMS but the risk is to the people who visit the CMS maintained web-site…

I know what you are thinking and the answer is “No, Patch Tuesday didn’t come early this month.  You have more patches to look forward to next month.”  Let’s see if I can sum up what led up to this out of band patch:  Microsoft has been working on this animated cursor issue since December of last year having been informed privately of the vulnerability by Determina.  Apparently the same hole was found separately by party or parties unknown and subsequently used in a limited attack on at least one Symantec customer.  Symantec informed Microsoft on March 28, 2007 which prompted Microsoft to issue the advisory you received the next day on Thursday.  After that, a proof-of-concept code sample was released publicly and the incident of attacks using the vulnerability increased causing Microsoft to schedule this out of band patch. 

This patch actually addresses 7 different vulnerabilities but the one to focus on is “Windows Animated Cursor Remote Code Execution” which allows remote, arbitrary code to run on the targeted system if the attacker can get the targeted user to visit a specially crafted web page or email.  This applies to viewing web pages, previewing or opening email messages, opening email attachments.  Blocking .ani files doesn’t protect you.  Using IE7 in protected mode and Outlook 2007 configured with the default viewer setting (Word), blocks the most common attack vectors.
This patch is pretty much a Workstation and end-user accessible Terminal Services issue as long as your admins refrain from web browsing and emailing from servers. 

Because of the rise in attacks and the lack of any comprehensive workarounds, I suggest deploying this patch to workstations ASAP with abbreviated testing.  Make sure you monitor KB article 925902 for any “known issues” (aka problems) with this patch.  Currently there is only one such issue that affects computers with the Realtek HD Audio Control Panel and there is a hotfix for that issue. 

Best wishes with this patch and hang in there until next week…

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
MS severity ratingProducts AffectedNotesRandy's recommendation

Arbitrary code

/ Windows
Terminal Servers
Yes/YesNoCritical Win2000
Server 2003
Animated cursor, etcPatch ASAP

Arbitrary code

/ Microsoft Content Management Server
Content Management Servers
No/NoNoCritical Content Management Server 2001
Content Management Server 2002
CMSPatch ASAP after testing IMPORTANT: see introductory comments above this chart

Arbitrary code

/ Windows
Terminal Servers
Yes/NoNoCritical Win2000
Server 2003
CSRSS Patch ASAP after testing

Arbitrary code

/ Windows
No/NoYesCritical XP
UPnPBlock UDP port 1900 and TCP port 2869 on local firewall or disable UPnP service via group policy

Privilege elevation

/ Windows
Terminal Servers
No/NoNoImportant Win2000
Server 2003
KernelSignificant prerequisites make this a low priority except on Terminal Services

Arbitrary code

/ Windows
Terminal Servers
No/NoYesCritical Win2000
Server 2003
Microsoft AgentKill the Agent ActiveX control. Once again my handy, dandy administrative template for setting the killbits comes to the rescue.

Receive Randy's same-day, independent analysis each Patch Tuesday

We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.


Additional Resources