Patch Analysis for September 2007

Well, not a bad month all in all.  The only patch I’m really concerned about is the one for back level versions of Windows Messenger and MSN Messenger.  If your users don’t have the very latest version installed you are vulnerable to a remote, arbitrary code hack where in the bad guy takes over your user’s computer by initiated a web cam or video conversation.  So tell you users not to accept such invitations and to allow the upgrade that Windows proposes the next time they logon to Messenger.  Also, the bulletin omitted any details as to whether the patch was deployable via WSUS or detectable via MBSA.  Weird.  I haven’t tested either yet but I’m guessing “no”.  This one is public so I encourage you to get the word out to your users right away!


MS07-051 is a non-urgent workstation patch which you can avoid by setting the kill bit on that infernal Microsoft Agent ActiveX control .  See chart below for link to more information on killing ActiveX controls via group policy.

Other than that, if you have programmers on your network be sure to instruct them to refrain from opening RPT files attached to email or web pages (see below on MS07-52).  Finally, if you use Services for Unix or the Unix subsystem in Windows you’ll be interested in MS07-053 which allows elevation of privilege through the setuid bit. 
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
MS severity ratingProducts AffectedNotesRandy's recommendation

Arbitrary code

/ Windows
Terminal Servers
No/NoYesCritical Win2000
Windows Agent Active X Control Restart requiredSet kill bit or patch after testing.

Privilege elevation

/ Windows Services for Unix
Terminal Servers
Domain Controllers
Yes/NoNoImportant Win2000
Server 2003
Default setup does not include Services for Unix Restart requiredPatch after testing

Arbitrary code

/ Visual Studio
Programmer Workstations
Yes/NoYesImportant Visual Studio .NET 2002
Visual Studio .NET 2003
Visual Studio 2005
Crystal Reports Restart required? MaybeRemove Crystal Reports and association with .rpt files; Patch after testing OR: inform and depend on programmers to refrain from opening RPT files received via email or download

Arbitrary code

/ Windows Live Messenger MSN Messenger
Terminal Servers
Yes/NoNoImportant Win2000
Server 2003
Patch prompts to upgrade Messenger Restart required? Yes, if messenger is activeYou are immune if using Windows Messenger 8.1 or MSN Messenger 7.0.0820 Upgrade to Latest version of Messenger/Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.


Additional Resources