After canceling March’s Patch Tuesday, Microsoft made up for
lost time when it released a critical security bulletin a week before the
regular schedule to plug the highly publicized animated cursor exploit. A week
later, Redmond released five more security bulletins, rating four of them as
critical. (The remaining update addresses an important threat.)

Most noteworthy about these updates? Windows Vista has made
it onto the list of affected platforms for two of the six security bulletins.

Details

Following on the heels of an emergency patch
to fix the animated cursor vulnerability, four critical security bulletins and
one important security bulletin round out April’s
Patch Tuesday
. The critical updates patch the most dangerous kind of threat
— one that allows remote code execution or complete control of the vulnerable
system.

Here’s a closer look at each update. As always, remember to
check the actual security bulletins in case of updates.

MS07-017

Microsoft
Security Bulletin MS07-017
, “Vulnerabilities in GDI Could Allow Remote
Code Execution,” addresses a whopping seven separate vulnerabilities:

  • GDI
    Local Elevation of Privilege Vulnerability (CVE-2006-5758)
  • WMF
    Denial of Service Vulnerability (CVE-2007-1211)
  • EMF
    Elevation of Privilege Vulnerability (CVE-2007-1212)
  • GDI
    Invalid Window Size Elevation of Privilege Vulnerability (CVE-2006-5586)
  • Windows
    Animated Cursor Remote Code Execution Vulnerability (CVE-2007-0038)
  • GDI
    Incorrect Parameter Local Elevation of Privilege Vulnerability (CVE-2007-1215)
  • Font
    Rasterizer Vulnerability (CVE-2007-1213)

These various vulnerabilities present elevation of
privilege, denial-of-service, and remote code execution threats, and they each
affect various versions of Windows and pose various threat levels. See the
security bulletin for specifics.

However, collectively, this update affects Windows 2000 SP4,
all versions of Windows XP, all versions of Windows Server 2003, and all
versions of Windows Vista. It’s collectively a critical threat for all affected
platforms. This update also replaces several bulletins for some platforms; the
security bulletin has more details.

This was an urgently
needed patch
as attackers have been actively exploiting the animated cursor
vulnerability. In addition, proof-of-concept code has been circulating for the
GDI Local Elevation of Privilege Vulnerability, but there had been no reports
of exploits at the time of publication. The remaining five vulnerabilities were
newly discovered vulnerabilities, and there had been no reports of active
exploits at the time of publication.

MS07-018

Microsoft
Security Bulletin MS07-018
,”Vulnerabilities in Microsoft Content
Management Server Could Allow Remote Code Execution,” addresses two
vulnerabilities: the CMS Memory Corruption Vulnerability (CVE-2007-0938)
and the CMS Cross-Site Scripting and Spoofing Vulnerability (CVE-2007-0939).
These are newly discovered vulnerabilities, and there had been no reports of
active exploits at the time of publication.

This is a remote code execution threat that affects Content
Management Server 2001 SP1 and Content Management Server 2002 SP2. The CMS
Memory Corruption Vulnerability is a critical threat for all affected versions;
the CMS Cross-Site Scripting and Spoofing Vulnerability is an important threat.

MS07-019

Microsoft
Security Bulletin MS07-019
, “Vulnerability in Universal Plug and Play
Could Allow Remote Code Execution,” addresses the UPnP Memory Corruption
Vulnerability (CVE-2007-1204).
This is a newly discovered vulnerability, and there had been no reports of
active exploits at the time of publication.

This remote code execution threat only affects Windows XP
SP2, Windows XP Professional x64 Edition, and Windows XP Professional x64
Edition SP2. It’s a critical threat for all affected versions.

Microsoft-approved workarounds include disabling the
Universal Plug and Play service and blocking UDP port 1900 and TCP port 2869 at
the firewall. Read the security bulletin for more details.

MS07-020

Microsoft
Security Bulletin MS07-020
, “Vulnerability in Microsoft Agent Could
Allow Remote Code Execution,” addresses the Microsoft Agent URL Parsing
Vulnerability (CVE-2007-1205).
This is a newly discovered vulnerability, and there had been no reports of
active exploits at the time of publication.

Yet another remote code execution threat, this update
affects Windows 2000 SP4, all versions of Windows XP, and all versions of
Windows Server 2003. It does not affect Windows Vista. In addition, this does
not affect users running Internet Explorer 7.x.

This is a critical threat for Windows 2000 SP4 and Windows
XP SP2; it’s a moderate threat for all versions of Windows Server 2003. A
simple workaround is to disable ActiveX controls.

MS07-021

Microsoft
Security Bulletin MS07-021
, “Vulnerabilities in CSRSS Could Allow
Remote Code Execution,” addresses three vulnerabilities:

This updated affects Windows 2000 SP4, all versions of
Windows XP, all versions of Windows Server 2003, and all versions of Windows
Vista. While the three vulnerabilities pose various levels of threats, the
collective threat is critical. The MsgBox (CSRSS) Remote Code Execution Vulnerability
was public knowledge, and proof-of-concept code was circulating. However, there
had been no reports of active exploits at the time of publication.

MS07-022

Microsoft
Security Bulletin MS07-022
, “Vulnerability in Windows Kernel Could
Allow Elevation of Privilege,” addresses the Kernel Local Elevation of
Privilege Vulnerability (CVE-2007-1206).
This is a newly discovered vulnerability, and there had been no reports of
active exploits at the time of publication.

This update affects Windows 2000 SP4, Windows XP SP2,
Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2. It is
an important threat for all affected versions. This bulletin
replaces
Microsoft Security Bulletin MS06-049
for Windows 2000 SP4 only.

Final word

Some financial analysts are speculating that Microsoft has
reached the end of the line in Windows development, and they don’t expect to
see any major releases in the future — and I agree. If nothing else, the way
Windows keeps bloating, it would take several DVDs to even carry the files for
a major post-Vista release.

I think Microsoft’s only hope in the OS market is to release
a tightly coded version of Windows — highly secure, built from scratch, and containing
only the most essential and popular features of Windows — not one that
includes every bell and whistle every single user has suggested that a
Microsoft OS should incorporate over the decades.

I find it very telling that one-third of these updates affects
Windows Vista, the purported culmination of all the safe and secure programming
practices that the world’s largest software company could bring to bear. If
this is the best an American company can do, I guess we’d better leave
programming to the programmers in India.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.