News

Microsoft Patches 7 Critical Flaws

• By Stephen Swoyer
• May 08, 2007

As promised, today's patch haul includes a fix for a flaw in Microsoft's Windows DNS service. Last month, Redmond published a security advisory warning the existence of "limited attacks" targeting a DNS vulnerability in Windows 2000 Server (SP4) and Windows Server 2003 (all versions).

That flaw, if successfully exploited, could allow a remote code execution scenario, Microsoft confirmed; in some cases, officials conceded, an attacker could even run code in the all-powerful Local System context.

Although Microsoft released fixes for both Windows 2000 Server and Windows Server 2003, it also warned that older, unsupported versions of the Windows Server product (namely, Windows NT 4.0) might also be vulnerable. Officials stressed that users of legacy Windows platforms should either migrate to a supported OS or, alternately, arrange with Microsoft for custom support options.

Today's other "critical" updates all patch flaws that, if exploited, could result in remote execution vulnerabilities. They include:

• remote code execution vulnerabilities in Microsoft Word, Microsoft Excel and Office
• remote code execution vulnerabilities in Microsoft Exchange
• remote code execution vulnerabilities in Internet Explorer
• a remote code execution vulnerability in Microsoft's Cryptographic API Component Object Model, or CAPICOM

It's been a rough year for Microsoft's Office products, and that trend only continued this month, with fixes on tap for a host of Office-related vulnerabilities -- including remote code execution flaws in Microsoft Word, Microsoft Excel and Microsoft Office as a whole.

To recap: Microsoft confirmed the existence of three vulnerabilities in Word, including:

• a Word array overflow vulnerability
• a Word document stream vulnerability
• a Word RTF parsing vulnerability

The three vulnerabilities affect, in one way or another, all supported versions of Word except Word 2007. Word 2000 is susceptible to all three vulnerabilities, according to Microsoft, which characterizes the potential impact of the flaws as "critical" in Word 2000 environments. Likewise, Word 2002 is vulnerable to all three flaws -- although Microsoft characterizes its potential exposure as "important" instead of critical.

Elsewhere, Word 2003 is vulnerable to two out of the three (the sole exception being the Word document stream vulnerability), and Microsoft Word for Mac is likewise vulnerable to at least two of the vulnerabilities (the exception being the document stream flaw). According to Microsoft, the document stream vulnerability has been the source of known exploit activity; neither of the other two Word vulnerabilities had previously been disclosed, however, nor is there any evidence (to date) of exploit code in the wild.

Redmond also patched a trio of Excel vulnerabilities, at least one of which affects Excel 2007. These include:

• an Excel BIFF record vulnerability
• an Excel set font vulnerability
• an Excel filter record vulnerability

Excel 2000 is hardest hit, overall, according to Microsoft; all three vulnerabilities merit a "critical" impact assessment in that product. Excel 2002, Excel 2003 and the Excel 2003 Viewer are susceptible to all three vulnerabilities, as well -- although Microsoft characterizes the potential impact on these systems as "important" instead of "critical."

Excel 2007 is susceptible to only one of the flaws -- the set font vulnerability -- which is likewise described as "important." Microsoft Excel for the Macintosh is susceptible to two of the three vulnerabilities (the exception being the Excel BIFF record flaw).

None of the three had previously been disclosed, Microsoft officials confirmed, and there's no evidence (to date) of exploit code in the wild.

The final Office patch actually replaces a previous Microsoft security update. It fixes a new drawing object vulnerability that affects all supported versions of Microsoft Office, including Office 2007.

This vulnerability was privately disclosed to Microsoft and there's no evidence (to date) of exploit code in the wild, officials said.

Exchange Vulnerable
The Exchange update actually patches four separate vulnerabilities in Microsoft's Exchange Server product: an Outlook Web access script injection flaw, a malformed iCal flaw, a MIME decoding flaw and an IMAP literal processing flaw.

Of these, only the MIME decoding vulnerability is linked to a potential remote code execution exploit. It consistently merits a "critical" assessment across Microsoft Exchange Server 2000 (SP3), Exchange Server 2003 (SP3) and Exchange Server 2007.

Microsoft characterizes the other flaws as "important"; the Outlook vulnerability could result in information disclosure while both the iCal and IMAP flaws are linked to potential DoS scenarios.

Only Exchange 2000 (SP3) is susceptible to all four vulnerabilities (and, again, only the MIME decoding vulnerability is assessed as "critical").

None of the four flaws had previously been disclosed and there's no evidence of exploit code in the wild, Microsoft said.

CAPICOM, Too
Finally, Microsoft also patched a vulnerability in its CAPICOM and BizTalk Server offerings. The flaw -- which Redmond describes as a CAPICOM.Certificates vulnerability -- affects CAPICOM and service packs 1 and 2 of BizTalk Server 2004.

BizTalk Server versions 2000, 2002 and 2006 are not affected, Microsoft confirmed.

The CAPICOM.Certificates flaw had not previously been disclosed, nor is there any evidence of exploit code in the wild, Microsoft indicated.

NOTE: Microsoft had not provided any additional information about the IE update as of press time.