For February's Patch Tuesday, Microsoft released 12 security bulletins, half of which the company has rated as critical. (The remaining six updates address important threats.) Updates to note include a cumulative patch for Internet Explorer and fixes for the highly publicized Word zero-day flaws.
Redmond released a dozen security bulletins for February's Patch Tuesday, rating six as critical. Due to space constraints, I'll review the critical updates this week, and I'll wrap up this month's Patch Tuesday coverage in the next issue. Here's a closer look at each critical update, in order of risk.
Microsoft Security Bulletin MS07-016, "Cumulative Security Update for Internet Explorer," addresses three different remote code execution vulnerabilities:
- COM Object Instantiation Memory Corruption Vulnerability (CVE-2006-4697)
- COM Object Instantiation Memory Corruption Vulnerability (CVE-2007-0219)
- FTP Server Response Parsing Memory Corruption Vulnerability (CVE-2007-0217)
This update affects all IE versions from IE 5.01 to IE7 on all platforms through Windows Server 2003. It does not affect IE 7 on Windows Vista.
This is a critical threat for all versions of IE 5.01 and IE 6. It's an important threat for IE 7 on Windows XP Service Pack 2 and a low threat for IE 7 on Windows Server 2003 SP1.
Microsoft Security Bulletin MS07-015, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution," addresses two Microsoft Office vulnerabilities: the PowerPoint Malformed Record Memory Corruption Vulnerability (CVE-2006-3877) and the Excel Malformed Record Vulnerability (CVE-2007-0671).
This is a critical threat for Office 2000 only; it's an important threat for Office XP, Office 2003, and Office 2004 for Mac. This bulletin replaces Microsoft Security Bulletin MS06-062 for all affected platforms.
While attackers are currently exploiting the Excel threat, the PowerPoint vulnerability is a newly discovered and privately reported threat. The recommend workaround is to avoid opening files from untrusted sources.
Microsoft Security Bulletin MS07-014, "Vulnerabilities in Microsoft Word Could Allow Remote Code Execution," addresses six vulnerabilities:
- Word Malformed String Vulnerability (CVE-2006-5994)
- Word Malformed Data Structures Vulnerability (CVE-2006-6456)
- Word Count Vulnerability (CVE-2006-6561)
- Word Macro Vulnerability (CVE-2007-0208)
- Word Malformed Drawing Object Vulnerability (CVE-2007-0209)
- Word Malformed Function Vulnerability (CVE-2007-0515)
This is a critical threat for Word 2000; it's an important threat for Word 2002, Word 2003, and Word Viewer 2003. Basically, this update affects all versions of Word except Word 2007. This bulletin replaces Microsoft Security Bulletin MS06-060 for all affected platforms.
Microsoft Security Bulletin MS07-010, "Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution," addresses the Microsoft Malware Protection Engine Vulnerability (CVE-2006-5270). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.
This is a remote execution threat that applies only to the Microsoft Malware Protection Engine. This is a critical threat for Live OneCare, Antigen for Exchange 9.x, Antigen for SMTP Gateway 9.x, Windows Defender, Windows Defender x64, Windows Defender in Windows Vista, Forefront Security for Exchange Server, and Forefront Security for SharePoint.
Microsoft Security Bulletin MS07-009, "Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution," addresses the Microsoft Windows MDAC ActiveX Vulnerability (CVE-2006-5559). While this is a publicly disclosed threats, there had been no reports of active exploits at the time of publication.
This is a remote code execution threat that applies only to Data Access Components. This is a critical threat for Windows 2000 SP4 and Windows XP SP2; it is a moderate threat for Windows Server 2003.
This bulletin replaces Microsoft Security Bulletin MS06-014 for some—but not all—affected platforms. Read the security bulletin to specifically learn which components the update affects, as well as for Microsoft-tested workarounds.
Microsoft Security Bulletin MS07-008, "Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution," addresses the HTML Help ActiveX Control Vulnerability (CVE-2007-0214). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.
This is a remote code execution threat that affects Windows 2000, all versions of Windows XP, and all versions of Windows Server 2003. It does not affect Windows Vista. This is a critical threat for Window 2000 and Windows XP; it is a moderate threat for Windows Server 2003.
This bulletin replaces Microsoft Security Bulletin MS06-046 for all affected platforms. The only workaround is to disable the HTML Help ActiveX control from running in Internet Explorer; read the security bulletin for detailed instructions.
This month's Patch Tuesday may appear bad at first glance, but most of the threats aren't critical for most platforms. Of course, you still need to evaluate each threat individually, so the work will be about the same—even if the urgency isn't high.
Please note that I wrote this article a little earlier than usual due to holiday schedules, so make sure to double-check the actual bulletins for updates. As usual, I'll post to this article's discussion if I hear of any major problems or other issues involving the patches.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.