RSS5 IE Flaws Patched with 14 Others
By Nate Mook | Published May 9, 2007, 1:44 PM
For May's Patch Tuesday, Microsoft corrected a total of 19 security flaws across its consumer and business product lines, with an update for IE fixing five remote code execution vulnerabilities. A highly-publicized DNS flaw was also patched.
Seven critical security bulletins were issued, three of which affect Office. MS07-023 fixes three separate flaws in Excel that could lead to remote code execution, while MS07-024 does the same for three vulnerabilities in Microsoft Word.
MS07-025 patches a critical vulnerability in Office related to the way the software handles a specially crafted drawing object. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object. All versions of Microsoft Office from 2000 to 2007 are affected.
Targeting Exchange Server, MS07-026 resolves four critical issues related to Outlook Web Access script injection, malformed iCal files, MIME decoding and IMAP literal processing. Exchange 2000 through 2007 could be exposed to remote code execution.
MS07-027 is a large bulletin for Internet Explorer 6 and 7, in addition to version 5.01 on Windows 2000. Five separate vulnerabilities have been addressed by the patch, and Microsoft is urging all users to update their browsers. One zero-day vulnerability is among the fixes.
Lastly are MS07-028, which addresses a critical flaw in Microsoft CAPICOM and BizTalk related to certificates, and MS07-028 for the DNS flaw affecting Windows 2000 and Windows Server 2003. Microsoft issued a security advisory about the DNS issue, which enables an attacker to trick the server into running any code remotely in a local system context.
"The Exchange Server flaw is extremely dangerous and PatchLink classifies this as a mandatory fix. This vulnerability could be used to drop malware, spam, and can also be used for targeted attacks where a hacker can drop a back door Trojan on the site," commented Paul Zimski, Senior Director at PatchLink.
"Since email is at the core of proprietary information for an organization, this is particularly powerful. If a hacker exploits this vulnerability, they have the opportunity to control the ebb and flow of all day-to-day business communications."
The 7 security patches are available for download via Windows Update and Microsoft Update, and will be delivered automatically to users with the feature enabled.
WAH! WAH! WAH! IE is by far the best there is, I have tried them all and hands down it is the best,just be thankful when Microsoft issues a patch, they are protecting you.....
Score: 0
|Saying IE is the best browser is like saying Google's search engine is the best. Just because it is the most popular does not make it the best. IE7 bites, closed a tab a couple of days ago and it went into meltdown. I will never ever use IE again.
Score: 0
|You're an ask.com employee, aren't you.
Score: 0
|Didn't think about it at the time but I guess what I said is kind of like the ask.com commercials huh. lol
Score: 0
|You better go now, little one, before your daddy finds out you're using his PC to post crap and gives you a spanking.
Score: 0
|ZOIKS!
Score: 0
|...and it still sucks.
Score: 0
|Interesting how only 7 of those patches are publicized (ZD-Net, Slashdot, BetaNews, etc..) and the 6 for Vista get barely a mention.
Even more interesting, is that those 6 are, in fact, IE7 patches (cumulative update), and *not* Patches for the OS itself.
Isn't biased reporting grand? (not blaming you, Nate, I'm sure you got your info from ZD-Net or some such.)
Score: 0
|I had to uninstall the update for IE7 (cumulative update) on my machine it rendered IE7 unusable.
Score: 0
|Well, duh. Unuseable = about as secure as you can get, right? :p
Score: 0
|We've had a few reports of the same.
Also the CAPICOM update didn't show up on our WSUS 3.0 server.
Score: 0
|same here.
Score: 0
|