May’s Patch Tuesday didn’t just mean seven critical security
bulletins for admins to worry about — it also welcomed some of Redmond’s
newer products, including Office 2007 and Exchange 2007, to the process. While
six of the updates address remote code execution threats — the remaining is a
cumulative update for IE — most are newly discovered vulnerabilities that
hackers hadn’t had a chance to exploit.

Details

This is a bad month to have Microsoft systems to maintain —
the company greeted the second Tuesday of the month with the release
of seven security bulletins
, rating all
of them as critical. Looking on the bright side, most of the critical ratings
are for Windows 2000 and related Office 2000 applications. (The vulnerabilities
affect newer platforms at a lower threat level.) In fact, you may spend more
time determining what you need to patch than actually patching your systems.

Here’s a closer look at each update, listed in order. However,
pay particular attention to MS07-029, which patches an already
exploited flaw
. As always, remember to check the actual security bulletins
in case of updates.

MS07-023

Microsoft
Security Bulletin MS07-023
, “Vulnerabilities in Microsoft Excel Could
Allow Remote Code Execution,” addresses three vulnerabilities:

This update affects Excel 2000 Service Pack 3, Excel 2002
SP3, Excel 2003 SP2, Excel 2003 Viewer SP2, Office 2004 for Mac, Excel 2007,
and the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File
Formats. It does not affect Microsoft Works Suite.

This is a critical threat for Excel 2000 SP3 only; it’s an important threat for all
other affected applications. This bulletin
replaces
Microsoft Security Bulletin MS07-002
for all applicable versions. There had been no reports of active exploits at
the time of publication.

MS07-024

Microsoft
Security Bulletin MS07-024
, “Vulnerabilities in Microsoft Word Could
Allow Remote Code Execution,” addresses three vulnerabilities:

This update affects Word 2000 SP3, Word 2002 SP3, Word 2003
SP2, Word Viewer 2003 SP2, Office 2004 for Mac, Microsoft Works Suite 2004,
Works Suite 2005, and Works Suite 2006. It does not affect Word 2007.

This is a critical threat for Word 2000 SP3 only; it’s an important threat for all
other affected applications. This bulletin
replaces
Microsoft Security Bulletin MS07-014
for several versions; check the security bulletin for more details. Malicious
users are actively exploiting the Word Document Stream Vulnerability.

MS07-025

Microsoft
Security Bulletin MS07-025
, “Vulnerability in Microsoft Office Could
Allow Remote Code Execution,” addresses the Drawing Object Vulnerability (CVE-2007-1747).
There had been no reports of active exploits at the time of publication.

This update affects various applications — predominantly
Excel, FrontPage, and Publisher — in Office 2000 SP3, Office XP SP3, Office
2003 SP2, Office 2004 for Mac, and Office 2007. Check the security bulletin for
the specific applications this update does and doesn’t affect.

This is a critical threat for Office 2000 SP3; it’s an
important threat for all other affected versions. This bulletin
replaces
Microsoft Security Bulletin MS07-015
for all applicable versions.

MS07-026

Microsoft
Security Bulletin MS07-026
, “Vulnerabilities in Microsoft Exchange
Could Allow Remote Code Execution,” addresses four vulnerabilities:

The first vulnerability presents a remote code execution
threat, the second presents an information disclosure threat, and the last two
are denial-of-service threats. Because of the first vulnerability, this is a
critical threat for all affected platforms.

This update affects Exchange 2000 Server SP3 with the
Post-SP3 Update Rollup, Exchange Server 2003 SP1, Exchange Server 2003 SP2, and
Exchange Server 2007. This bulletin
replaces
Microsoft Security Bulletins MS06-019
and MS06-029
for all applicable versions. There had been no reports of active exploits at
the time of publication.

MS07-027

Microsoft
Security Bulletin MS07-027
, “Cumulative Security Update for Internet
Explorer,” addresses six remote code execution vulnerabilities:

This update affects pretty much every version of Internet
Explorer, from IE 5.01 to IE 7. Check the security bulletin for more details —
Microsoft has already updated it once.

This is a critical threat for most affected versions; it’s a
moderate threat for IE 6 and IE 7 on versions of Windows Server 2003. While the
COM Object Instantiation Memory Corruption Vulnerability is a previously
disclosed threat, there had been no reports of active exploits at the time of
publication. This bulletin
replaces
Microsoft Security Bulletin MS07-016
for all applicable versions.

MS07-028

Microsoft
Security Bulletin MS07-028
, “Vulnerability in CAPICOM Could Allow
Remote Code Execution,” addresses the CAPICOM.Certificates Vulnerability (CVE-2007-0940). This is a newly disclosed
threat, and there had been no reports of active exploits at the time of
publication.

This update affects CAPICOM, Platform SDK Redistributable:
CAPICOM, BizTalk Server 2004 SP1, and BizTalk Server 2004 SP2; it does not
affect other versions of BizTalk Server. This is a critical threat for all
affected versions.

MS07-029

Microsoft
Security Bulletin MS07-029
, “Vulnerability in Windows DNS RPC
Interface Could Allow Remote Code Execution,” addresses the DNS RPC
Management Vulnerability (CVE-2007-1748).
This is a previously disclosed threat, and there have been reports
of active exploits
.

This update affects Windows 2000 Server SP4 and all versions
of Windows Server 2003; it does not affect Windows 2000 Professional SP4,
Windows XP, or Windows Vista. This is a critical threat for all affected
systems.

Final word

A lot of these patches don’t appear to be particularly
urgent, but the ratings could change. Your best bet is to read the security bulletins
in their entirety to determine which ones affect your organization.

There are mitigating factors and possible workarounds, but
companies need to evaluate them on an individual basis. Finally, don’t forget
that interaction between various workarounds could have unintended
consequences.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.