For July’s Patch Tuesday, Microsoft released seven security bulletins, five of which it has rated critical. (The remaining two are important threats.) The vulnerabilities apply to virtually every Office component in current use, including Macintosh applications and even Microsoft Works.
Details
In addition to the rather esoteric threats that we often see every Patch Tuesday, this month’s batch includes multiple critical flaws in Office components that can lead to remote code execution. Consequently, everyone—not just companies with large network installations or those using advanced features—should carefully review the July updates. Basically, if your organization uses or supports any Microsoft product, you need to check out these security bulletins.
Critical threats
MS06-035
Microsoft Security Bulletin MS06-035, “Vulnerability in Server Service Could Allow Remote Code Execution,” addresses a remote code execution threat and an information disclosure threat. These are newly discovered threats.
This is a critical threat to Windows 2000, Windows XP, and Windows Server 2003 platforms—including systems with all service packs installed—but it doesn’t affect Windows 98, Windows SE, and Windows ME systems. This bulletin replaces Security Bulletin MS05-027 for Windows XP and Windows Server 2003 systems.
Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com
MS06-036
Microsoft Security Bulletin MS06-036, “Vulnerability in DHCP Client Service Could Allow Remote Code Execution,” addresses a buffer overrun vulnerability in the Dynamic Host Configuration Protocol (DHCP) client service. This is a newly discovered remote code execution threat, which an anonymous user can exploit remotely.
This is a critical threat to Windows 2000, Windows XP, and Windows Server 2003 platforms—including systems with all service packs installed—but it doesn’t affect Windows 98, Windows SE, and Windows ME systems. Using a static IP address will mitigate the danger, but this approach also opens your systems to other threats. You can also disable the DHCP Client service via Control Panel | Administrative Tools | Services.
MS06-037
Microsoft Security Bulletin MS06-037, “Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution,” addresses multiple Excel vulnerabilities that can allow remote code execution. Some of the holes patched by this update are publicly disclosed vulnerabilities.
It’s important to note that this bulletin affects all newer versions of Excel and Microsoft Office, including those running on the Macintosh platform. However, this bulletin is a critical threat for Microsoft Excel 2000 on Windows platforms only. For all other affected versions, this is only an important threat.
MS06-038
Microsoft Security Bulletin MS06-038, “Vulnerabilities in Microsoft Office Could Allow Remote Code Execution,” addresses another remote code execution threat that affects almost all Office components (including Viewer, FrontPage, OneNote, and even Visio). Some of the holes patched by this update are publicly disclosed vulnerabilities.
This bulletin affects Office 2003 SP1, Office 2003 SP2, Office XP SP3, and Office 2000 SP3; it also affects individual Windows applications, including Project 2002 SP1, Visio 2002 SP2, Project 2000 Service Release 1, Office 2004 for Mac, and Office v. X for Mac. The vulnerabilities addressed by this bulletin do not affect Microsoft Works Suite 2004, Works Suite 2005, or Works Suite 2006.
While the vulnerabilities covered by this bulletin include both new and publicly known vulnerabilities, this is a critical threat for Office 2000 only. For all other affected versions, this is only an important threat.
MS06-039
Microsoft Security Bulletin MS06-039, “Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution,” addresses another remote code execution threat that affects multiple Office versions and components. The two holes patched by this update are newly discovered threats.
This bulletin affects Office 2003 SP1 and SP2 (including Project 2003 and OneNote 2003), Office XP SP3, and Office 2000 SP3. It also affects Project 2000, Project 2002, Works Suite 2004, Works Suite 2005, and Works Suite 2006. This update does not affect Office Viewers, Office 2004 for Mac, and Office v. X for Mac.
This is a critical threat for Office 2000 only. For all other affected versions, it’s an important or moderate threat.
Less critical threats
In addition to these major threats, Microsoft released two security bulletins for July that it rated as important.
* Microsoft Security Bulletin MS06-033 “Vulnerability in ASP.NET Could Allow Information Disclosure”
* Microsoft Security Bulletin MS06-034 “Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution”
At least one of these may have significant implications for developers, but the implications aren’t completely clear yet. If either bulletin turns out to be significant, I’ll address it in the next IT Locksmith article.
Final word
As usual, Microsoft’s monthly security update release included several critical threats. However, it’s important to note that many of these threats are only critical for the older Windows or Office 2000 platforms. (Newer releases have various updated default installation settings or other mitigating factors.)
That means that the actual security impact of all of these critical security bulletins is far less severe than it may at first appear. Unfortunately, they do apply to virtually every Windows platform as well as many Macintosh platforms. So even if the threats aren’t particularly critical for most organizations, the work involved with patching the vulnerabilities is still extensive.