This month's bulletins leave us with two major headlines. First, ‘What happened to half of the bulletins?' and secondly, Internet Explorer 7.0 isn't apparently quite as bullet proof as advertised. Even before Black Tuesday arrived this month, we knew that we were going to be receiving less than expected as last Friday Microsoft pulled four of eight planned bulletins. No explanation has been given but it's fair to assume that issues arose during final testing. While it's understandable that Microsoft would want to ensure that the patches are solid before releasing them, it's concerning given the number of outstanding Microsoft vulnerabilities that we're already aware of. For over a month now, Microsoft has admitted to being aware of two 0day Microsoft Word vulnerabilities being used in targeted attacks ( see below), yet the January patch cycle came and went and these vulnerabilities remain outstanding. Beyond this, 3Com's Zero Day Initiative lists six pending Microsoft advisories, while eEye lists two. Expect a large volume of Microsoft bulletins in February.

The other big headline surrounds MS07-004. Microsoft and iDefense have released details of a Vector Markup Language (VML) integer overflow vulnerability which affects all modern versions of Internet Explorer including IE7. Given the significant user base affected by this issue, be sure to make MS07-004 a top patching priority.

The pared down patch release was still significant and left us with 10 vulnerabilities in four bulletins with the following overall severity rankings.

• 7 Critical
• 2 Important
• 1 Moderate

This month's bulletins included patches for 3 public vulnerabilities. More importantly, Microsoft admits to being aware of exploitation using the VML Buffer Overrun Vulnerability (CVE-2006-4704). The following publicly known issues received patches:

• MS07-001 (CVE-2006-5574) Office 2003 Brazilian Portuguese Grammar Checker Vulnerability
• MS07-003 (CVE-2006-1305) Microsoft Outlook Denial of Service Vulnerability
• MS07-004 (CVE-2007-0024) VML Buffer Overrun Vulnerability

Unfortunately, this month's bulletins did not address the following two Microsoft Word file format vulnerabilities which have now been outstanding for over a month. While Microsoft has acknowledged the vulnerabilities and the fact that they are being used in targeted attacks, they have not set release dates for patches.

• Microsoft Security Advisory 929433
• Microsoft Word vulnerability - December 10, 2006 blog posting

Below is a cheat sheet for all 10 vulnerabilities.

Enjoy!

- michael

 

Bulletin	Title
MS07-001	Office 2003 Brazilian Portuguese Grammar Checker Vulnerability CVE-2006-5574 Important Public: Yes Exploited: No
MS07-002	Excel Malformed IMDATA Record Vulnerability CVE-2007-0027 Critical Discovered By: Jeff Gennari of CERT Public: No Exploited: No
MS07-002	Excel Malformed Record Vulnerability CVE-2007-028 Critical Discovered By: Jie Ma of Fortinet Security Research Team Public: No Exploited: No Advisory: Fortinet FG-2007-01
MS07-002	Excel Malformed String Vulnerability CVE 2007-0029 Critical Discovered By: NSFocus Security Team Public: No Exploited: No
MS07-002	Excel Malformed Column Record Vulnerability CVE-2007-0030 Critical Discovered By: Greg MacManus of iDefense Labs Public: No Exploited: No Advisory: iDefense
MS07-002	Excel Malformed Palette Record Vulnerability CVE-2007-0031 Critical Discovered By: Greg MacManus of iDefense Labs Public: No Exploited: No Advisory: iDefense
MS07-003	Microsoft Outlook VEVENT Vulnerability CVE-2007-0033 Important Discovered By: Lurene Grenier of Sourcefire Public: No Exploited: No
MS07-003	Microsoft Outlook Denial of Service Vulnerability CVE-2006-1305 Moderate Public: Yes Exploited: No
MS07-003	Microsoft Outlook Advanced Find Vulnerability CVE-2007-0034 Critical Discovered By: Stuart Pearson of Computer Terrorism Public: No Exploited: No
MS07-004	VML Buffer Overrun Vulnerability CVE-2007-0024 Critical Discovered By: Jospeh Moti working with the iDEFENSE Public: Yes Exploited: Yes Advisory: iDefense

 

---

Posted 01-09-2007 2:13 PM by erik.peterson