In it’s first monthly scheduled Patch Tuesday of 2007, Microsoft issued patches for 10 security flaws which fixed vulnerabilities in Excel, Outlook and Windows. 3 of the patches were deemed critical, in that they would allow bot herders to take control of targeted computers in the growing botnet problem, while a fourth patch was rated as important.
Security professionals are saying the most important update is the MS07-004, which fixes a problem in the Vector Markup Language which could potentially allow remote code execution if the user visits a certain web page. This is considered crucial because it affects all versions of Internet Explorer, including the most recent release IE 7.
The other critical and important patches are, according to Microsoft, and taken from Search Security, are as follows:
MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.
MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.
The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."
The fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.
Today’s security update was only half the number expected by many, as Microsoft said it would release 8 critical updates, but today only issued 4 of them. As a Microsoft spokesman explained, “There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in the Windows Media Player."