Microsoft

Microsoft releases six security bulletins for April

For April's Patch Tuesday, Microsoft released five security bulletins, rating four of them as critical -- and that's in addition to the critical security bulletin it released a week earlier. John McCormick tells you what you need to know about <i>all</i> of April's security bulletins.

After canceling March's Patch Tuesday, Microsoft made up for lost time when it released a critical security bulletin a week before the regular schedule to plug the highly publicized animated cursor exploit. A week later, Redmond released five more security bulletins, rating four of them as critical. (The remaining update addresses an important threat.)

Most noteworthy about these updates? Windows Vista has made it onto the list of affected platforms for two of the six security bulletins.

Details

Following on the heels of an emergency patch to fix the animated cursor vulnerability, four critical security bulletins and one important security bulletin round out April's Patch Tuesday. The critical updates patch the most dangerous kind of threat — one that allows remote code execution or complete control of the vulnerable system.

Here's a closer look at each update. As always, remember to check the actual security bulletins in case of updates.

MS07-017

Microsoft Security Bulletin MS07-017, "Vulnerabilities in GDI Could Allow Remote Code Execution," addresses a whopping seven separate vulnerabilities:

These various vulnerabilities present elevation of privilege, denial-of-service, and remote code execution threats, and they each affect various versions of Windows and pose various threat levels. See the security bulletin for specifics.

However, collectively, this update affects Windows 2000 SP4, all versions of Windows XP, all versions of Windows Server 2003, and all versions of Windows Vista. It's collectively a critical threat for all affected platforms. This update also replaces several bulletins for some platforms; the security bulletin has more details.

This was an urgently needed patch as attackers have been actively exploiting the animated cursor vulnerability. In addition, proof-of-concept code has been circulating for the GDI Local Elevation of Privilege Vulnerability, but there had been no reports of exploits at the time of publication. The remaining five vulnerabilities were newly discovered vulnerabilities, and there had been no reports of active exploits at the time of publication.

MS07-018

Microsoft Security Bulletin MS07-018,"Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution," addresses two vulnerabilities: the CMS Memory Corruption Vulnerability (CVE-2007-0938) and the CMS Cross-Site Scripting and Spoofing Vulnerability (CVE-2007-0939). These are newly discovered vulnerabilities, and there had been no reports of active exploits at the time of publication.

This is a remote code execution threat that affects Content Management Server 2001 SP1 and Content Management Server 2002 SP2. The CMS Memory Corruption Vulnerability is a critical threat for all affected versions; the CMS Cross-Site Scripting and Spoofing Vulnerability is an important threat.

MS07-019

Microsoft Security Bulletin MS07-019, "Vulnerability in Universal Plug and Play Could Allow Remote Code Execution," addresses the UPnP Memory Corruption Vulnerability (CVE-2007-1204). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.

This remote code execution threat only affects Windows XP SP2, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition SP2. It's a critical threat for all affected versions.

Microsoft-approved workarounds include disabling the Universal Plug and Play service and blocking UDP port 1900 and TCP port 2869 at the firewall. Read the security bulletin for more details.

MS07-020

Microsoft Security Bulletin MS07-020, "Vulnerability in Microsoft Agent Could Allow Remote Code Execution," addresses the Microsoft Agent URL Parsing Vulnerability (CVE-2007-1205). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.

Yet another remote code execution threat, this update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It does not affect Windows Vista. In addition, this does not affect users running Internet Explorer 7.x.

This is a critical threat for Windows 2000 SP4 and Windows XP SP2; it's a moderate threat for all versions of Windows Server 2003. A simple workaround is to disable ActiveX controls.

MS07-021

Microsoft Security Bulletin MS07-021, "Vulnerabilities in CSRSS Could Allow Remote Code Execution," addresses three vulnerabilities:

This updated affects Windows 2000 SP4, all versions of Windows XP, all versions of Windows Server 2003, and all versions of Windows Vista. While the three vulnerabilities pose various levels of threats, the collective threat is critical. The MsgBox (CSRSS) Remote Code Execution Vulnerability was public knowledge, and proof-of-concept code was circulating. However, there had been no reports of active exploits at the time of publication.

MS07-022

Microsoft Security Bulletin MS07-022, "Vulnerability in Windows Kernel Could Allow Elevation of Privilege," addresses the Kernel Local Elevation of Privilege Vulnerability (CVE-2007-1206). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.

This update affects Windows 2000 SP4, Windows XP SP2, Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2. It is an important threat for all affected versions. This bulletin replaces Microsoft Security Bulletin MS06-049 for Windows 2000 SP4 only.

Final word

Some financial analysts are speculating that Microsoft has reached the end of the line in Windows development, and they don't expect to see any major releases in the future — and I agree. If nothing else, the way Windows keeps bloating, it would take several DVDs to even carry the files for a major post-Vista release.

I think Microsoft's only hope in the OS market is to release a tightly coded version of Windows — highly secure, built from scratch, and containing only the most essential and popular features of Windows — not one that includes every bell and whistle every single user has suggested that a Microsoft OS should incorporate over the decades.

I find it very telling that one-third of these updates affects Windows Vista, the purported culmination of all the safe and secure programming practices that the world's largest software company could bring to bear. If this is the best an American company can do, I guess we'd better leave programming to the programmers in India.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox