Microsoft Patch Tuesday: May 2007

May proves to be a busy month for Windows administrators as we received information on no less than 21 vulnerabilities being addressed in this month’s 7 patches. If you happen to be responsible for any DNS servers running on Server 2000, 2003 Server or SBS, you will most likely want to skip to the last one and work your way up. For the rest of us, we’ll start with the IE issues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Six distinct issues are addressed in IE this month, as well as two issues in third-party ActiveX controls. Note that these two are only mentioned as footnotes in the advisory and therefore do not have their own Urgency Ratings from Microsoft. Unless otherwise stated, all of these may allow an attacker to run their code at the privilege level of the current user. IE7 is vulnerable to only four of them.

  • Microsoft Internet Explorer CHTSKDIC.DLL Arbitrary Code Execution Vulnerability
    BID 19529; CVE-2007-0942 & CVE-2006-4193 (Symantec Urgency Rating:8.5; MS Rating: Critical)
    This vulnerability was first published in August of last year, and affects all versions of IE5.01 and IE6. IE7 on XP is not vulnerable by default, but can be made vulnerable by user configuration (allowing the affected COM object via the ActiveX opt-in feature), and IE7 on Vista is not vulnerable at all.
  • Microsoft Internet Explorer DHTML Method Call Remote Code Execution Vulnerability
    BID 23771; CVE-2007-0944 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    This vulnerability is due to insecure handling of references to deleted or improperly-initialized DHTML objects.
  • Microsoft Internet Explorer Property Method Remote Code Execution Vulnerability
    BID 23769; CVE-2007-0945 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    This issue affects IE6 and IE7, and is caused by improper handling of malformed ‘property’ method calls.
  • Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability
    BID 23772; CVE-2007-0947 (Symantec Urgency Rating: 8.5; MS Rating: Important)
    When IE6 or IE7 (even on Vista) attempts to access a freed object in memory, Bad Things can happen. As usual, Bad Things means remote code execution.
  • Microsoft Internet Explorer HTML Objects Script Errors Variant Remote Code Execution Vulnerability
    BID 23770; CVE-2007-0946 (Symantec Urgency Rating: 8.3; MS Rating: Important)
    This is a slight variant of the vulnerability described above, but affects only IE7, including IE7 on Vista.
  • Microsoft Windows Media Server MDSauth.DLL ActiveX Control Remote Code Execution Vulnerability
    BID 23827; CVE-2007-2221 (Symantec Urgency Rating: 7.8; MS Rating: Critical)
    This ActiveX control can be exploited as well, allowing attackers to run arbitrary code or crash the application.
  • Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability
    BID 21207; (Symantec Urgency Rating: 8.5; MS Rating:N/A)
    This vulnerability affects only specific Acer laptops (the TravelMate 4150 and Aspire 5600) that have the default LunchApp.APlunch installed (version 1 only). The included ActiveX control marks several methods as ‘safe for scripting’, including the ever-popular ‘run’ method, which of course allows an attacker to specify any file for execution. This was disclosed in November of 2006, and an exploit is available publicly. While this is not a Microsoft product, due to the nature of the vulnerability they have set the kill bit for the relevant CLSID in concert with Acer.
  • Research In Motion Blackberry ActiveX Control Unspecified Vulnerability
    BID 23331; (Symantec Urgency Rating: 7.1; MS Rating:N/A)
    This is another third-party ActiveX control. This one is vulnerable to a buffer overflow, and has also had the appropriate kill bit set in this patch.

MS07-026; 931832 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution
This patch addresses four issues in Exchange Server. The most significant of these can be exploited to run abitrary code in the security context of Exchange.

  • Microsoft Exchange Base64 MIME Message Remote Code Execution Vulnerability
    BID 23809; CVE-2007-0213 (Symantec Urgency Rating: 8.2; MS Rating: Critical)
    Exchange Server 2000, 2003, and 2007 can all be made to execute attacker-supplied code when attempting to decode base64 MIME attachments.
  • Microsoft Outlook Web Access Remote Script Injection Vulnerability
    BID 23806; CVE-2007-0220 (Symantec Urgency Rating: 7.8; MS Rating:Important)
    Outlook Web Access is prone to script injection attacks that could allow unauthorized users to log in as valid users and access all OWA functionality on the targeted user’s email. This vulnerability occurs in the code that handles UTF character set labels in inbound attachments.
  • Microsoft Exchange iCal Request Remote Denial of Service Vulnerability
    BID 23808; CVE-2007-0039 (Symantec Urgency Rating:7.1; MS Rating: Important)
    An Exchange server can be brought down by sending a malicious iCal request to any user on the system. The Microsoft Exchange Information Store will need to be restarted in order to restore functionality. Exchange Server 2000, 2003 and 2007 are affected.
  • Microsoft Exchange IMAP Command Processing Remote Denial of Service Vulnerability
    BID 23810; CVE-2007-0221 (Symantec Urgency Rating: 7.1; MS Rating:Important)
    Exchange Server 2000 can be brought down by attackers who supply a currently unspecified invalid IMAP command. The IIS Admin service would need to be restarted in order to regain any mail server functionality.

MS07-028; 931906 Vulnerabilities in Capicom Could Allow Remote Code Execution

  • Microsoft Capicom ActiveX Control Remote Code Execution Vulnerability
    BID 23782; CVE-2007-0940 (Symantec Urgency Rating: 8.3;MS Rating: Critical)
    By supplying specially-crafted input to a currently unspecified parameter in the CAPICOM Certificates Class, an attacker can cause this ActiveX control to run arbitrary code at the privilege level of the current user. The affected control shipped with all versions of BizTalk Server 2004; BizTalk 2000, 2002 and 2006 are not affected.

MS07-024; 934232 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
This release patches three vulnerabilities in MS Word (and Works, in one case).

  • Microsoft Word 2000/2002 Remote Code Execution Vulnerability
    BID 22567; CVE-2007-0870 (Symantec Urgency Rating: 8.5; MS Rating: Critical)
    Word 2000 and 2002 can be made to run attacker code via a hostile Document Stream object. This vulnerability was previously disclosed in February.
  • Microsoft Word Array Remote Code Execution Vulnerability
    BID 23804; CVE-2007-0035 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    Maliciously crafted arrays in Word documents can cause code of the attacker’s choice to run in the security context of the current user. Word 2000, 2002, 2003 and 2004 for Mac are affected, as well as the 2003 viewer, and even Works 2004, 2005 and 2006.
  • Microsoft Word RTF Parsing Remote Code Execution Vulnerability
    BID 23836; CVE-2007-1202 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    The RTF format strikes again, this time in Word 2000, 2002, 2003 and 2004 for Mac. Unspecified rich-text properties are mishandled in such away that a maliciously crafted file could include code that would be executed in the context of the current user.

MS07-023; 934233 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Each of these vulnerabilities offers attackers a different way to include code into an Excel file, which will run on vulnerable target systems when the file is opened. See the linked writeups and advisory for detailed affected version lists, but in general these affect all Excel versions 2000 and newer, with the exception of 2007, which is only vulnerable to BID 23779.

  • Microsoft Excel BIFF record Remote Code Execution Vulnerability
    BID 23760; CVE-2007-0215 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
  • Microsoft Excel Set Font Remote Code Execution Vulnerability
    BID 23779; CVE-2007-1203 (Symantec Urgency Rating:7.1; MS Rating: Critical)
  • Microsoft Excel Filter Records Remote Code Execution Vulnerability
    BID 23780; CVE-2007-1214 (Symantec Urgency Rating: 7.1; MS Rating: Critical)

MS07-025; 934873 Vulnerability in Microsoft Office Could Allow Remote Code Execution

  • Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability
    BID 23826; CVE-2007-1747 (Symantec Urgency Rating: 7.1; MS Rating: Critical)
    Office 2000, 20003, 20004 for Mac, XP and 2007 are all prone to an error in handling drawing objects. A hostile drawing object can be embedded into any Office-readable file format that will cause attacker code to run in the context of the current user.

MS07-029; 935966 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution

  • Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
    BID 23470; CVE-2007-1748 (Symantec Urgency Rating:;MS Rating:Critical)
    Flaws in the DNS RPC Interface can allow attackers to gain SYSTEM privileges on affected computers. This issue affects Windows 2000 Server, Windows Server 2003 and Small Business Server 2000 and 2003. This vulnerability was first discovered in April via observation of targeted attacks, and has since been exploited in the wild with limited success by a few Rinbot variants.

And that…. wraps it up for this week! Happy patching, and see you next month.