Microsoft has released its May 2007 security bulletin, which includes seven updates: all are listed as "Critical." Two of the patches affect Microsoft Windows, with one critical patch specific to Internet Explorer. Three of the patches affect Microsoft Office, and include Office for Mac 2004 users. To keep your Windows XP SP1 system secure, update to Windows XP SP2 today. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS07-023: Critical

Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)," this bulletin affects users of Microsoft Office 2000 through 2007, plus Office 2004 for Mac, and addresses the vulnerabilities detailed in CVE-2007-0215, CVE-2007-1203, and CVE-2007-0214. Successful exploitation could lead to remote code execution.

MS07-024: Critical

Entitled "Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)," this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007. It addresses the vulnerabilities detailed in CVE-2007-0035, CVE-2007-0870, and 2CVE-007-1202. Successful exploitation could lead to remote code execution.

MS07-025: Critical

Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)," this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007. It addresses the vulnerability detailed in CVE-2007-1747. Successful exploitation could lead to remote code execution.

MS07-026: Critical

Entitled "Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)," this bulletin affects users of Windows Exchange 2000, Exchange Server 2003, and Exchange Server 2007, and addresses the vulnerabilities detailed in CVE-2007-0220, CVE-2007-0039, CVE-2007-1213, and CVE-2007-0221. Successful exploitation could lead to remote code execution.

MS07-027: Critical

Entitled "Cumulative Security Update for Internet Explorer (931768)," this bulletin affects users of Windows 2000 through Vista and Internet Explorer versions 5.01 through 7, and addresses the vulnerabilities detailed in CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0946, and CVE-2007-2221. Successful exploitation could lead to remote code execution.

MS07-028: Critical

Entitled "Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)," this bulletin affects users of CAPICOM and BizTalk Server 2004, but does not affect BizTalk Server 2000, 2002, and 2006. It addresses the vulnerability detailed in CVE-2007-0940. Successful exploitation could lead to remote code execution.

MS07-029: Critical

Entitled "Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)," this bulletin affects users of Windows Server 2000 and 2003, but does not affect Windows 2000, Windows XP (SP2), and Windows Vista. It addresses the vulnerability detailed in CVE-2007-1748. Successful exploitation could lead to remote code execution.

Permalink | 2 comments

• Read also: security, software, Microsoft, Office, Windows, Internet Explorer
• Email to a friend | Print this post

Microsoft has released its April 2007 security bulletin, which includes five updates: four are listed as Critical, and one is listed as Important. Four of the patches affect Microsoft Windows, with one critical patch including Windows Vista. One of the patches affects Microsoft Client Management Server. None of the patches this month affect Microsoft Office. To keep your Windows XP SP1 system secure, update to Windows XP SP2 today. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS07-018: Critical:

Titled "Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)," this bulletin affects users of Microsoft Content Management Server 2001 and 2002, and it addresses the vulnerabilities detailed in CVE-2007-0938 and CVE-2007-0939. Successful exploitation could lead to remote code execution.

MS07-019: Critical:

Titled "Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)," this bulletin affects users of Microsoft Windows XP Service Pack 2 and x64, but does not affect Windows 2000 SP4, Windows Server 2003, or Windows Vista. It addresses the vulnerability detailed in CVE-2007-1204. Successful exploitation could lead to remote code execution.

MS07-020: Critical:

Titled "Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)," this bulletin affects users of Windows 2000 (SP4), Windows XP (SP2 and x64), and Windows Server 2003 (SP1 and x64), but it does not affect Windows Vista. It addresses the vulnerability detailed in CVE-2007-1215. Successful exploitation could lead to remote code execution.

MS07-021: Critical:

Titled "Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)," this bulletin affects users of Windows 2000 (SP4), Windows XP (SP2 and x64), Windows Server 2003 (SP1 and x64), and Windows Vista. It addresses the vulnerabilities detailed in CVE-2006-6696, CVE-2006-6797, and CVE-2007-1209. Successful exploitation could lead to remote code execution.

MS07-022: Important:

Titled "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)," this bulletin affects users of Windows 2000 (SP4), Windows XP (SP2 ), Windows Server 2003 (SP1), but not Windows XP x64, Windows Server 2003 x64, or Windows Vista. It addresses the vulnerability detailed in CVE-2007-1206. Successful exploitation could lead to remote code execution.

Permalink | 1 comment

• Read also: security, Microsoft Windows
• Email to a friend | Print this post

Microsoft issued an emergency out of cycle patch for the animated cursor flaw Microsoft Windows. Microsoft's regular every-second-Tuesday-of-the-month patch cycle was interrupted in March 2007 when the software vendor issued no patches and will resume next week, on Tuesday April 10, 2007. The patch includes the first security bulletin that explicitly includes Windows Vista users. Microsoft security patches for Windows software are available via Microsoft Update or via the individual bulletin detailed below.

MS07-017: Critical

Entitled "Vulnerabilities in GDI Could Allow Remote Code Execution (925902)" this bulletin affects Windows 2000 SP4, Windows XP (SP2 and x64), Windows Server 2003 (SP1, 2, Itanium, x64), and Windows Vista, and addresses the vulnerabilities detailed in CVE-2006-5758; CVE-2006-5586; CVE-2007-1212: CVE-2007-0038; CVE-2007-1215; CVE-2007-1213. Successful exploitation could lead to remote code execution.

For more on the animated cursor flaw and the release of this out-of-cycle patch, see Joris Evers' story on News.com.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

There's a new Microsoft Windows vulnerability caused by an unspecified error in the way Windows 2000, XP, and Vista handle animated cursors. Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type, so simply blocking ANI files won't necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:

wsfgfdgrtyhgfd.net

85.255.113.4

uniq-soft.com

fdghewrtewrtyrew.biz

newasp.com.cn

To become infected, visitors must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Therefore, until a patch is released, users might want to browse the Internet using a non-Internet Explorer browser.

Additional resources

Microsoft: Advisory 935423

NIST: CVE-2007-1765

Arbor Networks: Any ANI file could infect you

Permalink | 11 comments

• Read also: security, software
• Email to a friend | Print this post

Today at CTIA in Orlando, Florida, security vendor McAfee announced a new filtering service for mobile service providers to screen unwanted content originating from subscriber cell phones. McAfee says its research shows mobile subscribers are increasingly using their cell phones for social networking and building online communities, either on-deck (within the provider's environment) or off-portal (on sites beyond the provider's environment, such as MySpace). With that trend comes the potential for subscribers to upload malware that might spread to others, potentially reducing the overall confidence in mobile as a content delivery option.

The service, called McAfee OK, works at the provider level and inspects all mobile content such as ring tones, images, video, and even applications that may be uploaded by subscribers onto the network. McAfee OK consists of software and services that can be integrated into existing mobile content delivery infrastructures and is supported by a dedicated mobile research team at McAfee.

Permalink | Post a comment

• Read also: security, software, CTIA
• Email to a friend | Print this post

Symantec beefed up its existing enterprise mobile security suite in response to dualmode (cell and wireless Internet) smart phones that have hit the market. The new suite, designed for corporations to roll out to its employees using Windows Mobile technology, includes an antivirus application; a personal firewall; an anti-SMS spam application; data encryption for both the device itself and memory cards; feature control to disable Bluetooth, wireless, and syncing when not necessary; and an optional virtual private network (VPN), version 2.6, with network access control that can be set to allow only policy-compliant devices.

In May, Symantec plans to release a consumer version, Symantec Mobile Security. The suite will include antivirus protection, a personal firewall, anti-SMS spam protection, a password manager, and data-encryption technology.

Permalink | Post a comment

• Read also: security, software, cell phone, CTIA
• Email to a friend | Print this post

Jeff Jones, Security Strategy director in Microsoft's Trustworthy computing group, has posted a PDF report showing that in its first 90 days, Windows Vista had fewer vulnerabilities than competing operating systems. He produces a chart illustrating that Windows XP in its 90 days required Microsoft to patch a total of 14 vulnerabilities, 8 rated critical; RedHat needed to patch a total of 181 vulnerabilities, 58 rated "high severity" by the U.S. National Vulnerability Database; within Enterprise Linux 4 Workstation's first 90 days, Ubuntu had to fix 24 vulnerabilities disclosed before the public release of Ubuntu 6.06 LTS, with 7 of 9 critical vulnerabilities patched within the first week; and Jones says that Apple had to fix 10 vulnerabilities already publicly disclosed prior to the release of Mac OS 10.4 and another 4 during the first 90 days after the April 29, 2005 release. All the above data comes from Jones and Microsoft.

Jones notes that within Windows Vista's first 90 days, Microsoft issued only one security bulletin, MS07-010, which covered the Microsoft Malware Engine, and includes other versions of Windows as well as Windows Live Onecare. (So, what, it's not really a vulnerability within Windows Vista?) However, Microsoft did not issue its March 2007 security bulletin, leading some critics to allege that Microsoft fixed the results. The April 2007 security bulletin, should it be full of Windows Vista vulnerabilities, would certainly support that theory.

Another way to look at the relative security of an operating system is to consult an independent source. We frequently cite vulnerability statistics from security vendor Secunia. They say that, to date, Windows Vista has 67 percent unpatched vulnerabilities (2 of 3 Secunia advisories).

How does that compare to the competition?

• Windows XP Professional scores 18 percent in unpatched vulnerabilities (33 of 179 Secunia advisories) over the lifetime of the product.
  

• Windows XP Home also scores 18 percent in unpatched vulnerabilities (30 of 163 Secunia advisories) over the lifetime of the product.
  

• Sun Solaris 10 scores 11 percent in unpatched vulnerabilities (11 of 99 Secunia advisories) over the lifetime of the product.
  

• Apple Mac OS X (all flavors) scores 7 percent in unpatched vulnerabilities (7 of 100 Secunia advisories) over the lifetime of the product.
  

• RedHat Linux 9 scores 1 percent in unpatched vulnerabilities (1 of 99 Secunia advisories) over the lifetime of the product.
  

• Ubuntu (Linux) scores a remarkable zero percent in unpatched vulnerabilities (0 of 61 Secunia advisories) over the lifetime of the product.
  

Looking at these numbers, one might conclude that Microsoft has a bit more work to do to prove that Windows Vista is more secure than the competition.

Permalink | 1 comment

• Read also: software, security
• Email to a friend | Print this post

Most of us take photocopiers for granted, using them in the office, at public libraries, and in local copy shops to make reproductions of driver's licenses, passports, and other personal information. What most people often don't realize is that these large, industrial photocopiers made within the last five years use hard drives. The document data are stored on the drive before a it is copied or printed and remain there until the drive is full, when new data begin to overwrite the old. Home and home-office copiers still use volatile RAM-based memory, meaning that when the unit is turned off, the memory is erased. To date, there have been no reported identity thefts that used a photocopier with a hard drive, but security researchers agree the potential for abuse exists.

Sharp, one of leading manufacturers of industrial photocopiers, issued a press release this week, just in time for tax season. Sharp commissioned a survey of 1,005 adults in January 2007 and found half of those contacted did not realize copiers posed a significant security risk. Additionally, 54 percent of the respondents didn't realize that photocopiers stored images of the documents they had reproduced. And a majority of the 54 percent thought photocopying and mailing sensitive documents was safer than providing similar information over the Internet.

The also survey found that 55 percent of Americans plan to photocopy some portion of their tax returns and other tax-related documents at offices, libraries, and copy shops. Another 13 percent will have tax-related materials photocopied in tax preparers' offices.

Sharp provides a security kit for its printers. The kit encrypts all images stored on the hard drive, then overwrites the printed document with ones and zeros so that they cannot be reconstructed later, a technique known as digitally shredding a document. Sharp advises individuals to ask whether a given printer has security installed. For its printers with Internet connections, Sharp says it uses NICs (network interface cards) with built-in firewall protection.

The Xerox corporation announced last fall that it also would include security features in its industrial photocopiers as well.

Permalink | Post a comment

• Read also: security, printers
• Email to a friend | Print this post

Mozilla today released security updates for Firefox 2 and Firefox 1.5. Security updates for Firefox 1.5 will be available only until April 24, 2007, when Mozilla will stop supporting the earlier version. Mozilla is encouraging current 1.5 users to upgrade to 2.0 soon. Current users of Firefox 2.0 and 1.5 will receive an automatic update notification and will need to reload the browser for the changes to take effect. This update patches a flaw in the FTP protocol used by Firefox. It has been reported that a specially coded FTP server could use this vulnerability to perform a rudimentary port-scan of machines inside the firewall. Mozilla says the vulnerability by itself poses no danger, but information about an internal network may be revealed and become useful to an attacker should there be other vulnerabilities present on the network. This update was first tested in beta release by Mozilla a few days ago.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post

According to Mozilla, everyone who participated in the beta process for Firefox 2 will be offered a prerelease version of the next security and stability update within the next 24 hours. Beta builds and release candidates for browsers often receive wide testing and feedback as part of Mozilla's development community program, so why not pretest its security updates as well. The final release of Firefox 2.0.0.3 is expected to take place shortly after Mozilla completes its testing through this new program.

Permalink | Post a comment

• Read also: security, software
• Email to a friend | Print this post