Microsoft May Patch Release

(imported topic written by tim_tsai)

Microsoft released 7 security bulletins today, all with maximum severity ratings of “Critical”. The release includes security updates for publicly known vulnerabilities documented in Microsoft Security Advisories 935964 and 933052. The release also introduces the first security updates for Office 2007, Exchange 2007, and CAPICOM/BizTalk Server 2004.

For more information about this month’s patch release and affected security advisories, see these links:

Microsoft Security Bulletin Summary: http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx

Microsoft Security Response Center Blog: http://blogs.technet.com/msrc/archive/2007/05/08/may-2007-monthly-bulletin-release.aspx

Microsoft Security Advisory 935964: http://www.microsoft.com/technet/security/advisory/935964.mspx

Microsoft Security Advisory 933052: http://www.microsoft.com/technet/security/advisory/933052.mspx

Fixlet content for the newly released security bulletins have been published to the “Enterprise Security” site. BigFix is still working on the MS07-026 update for “Microsoft Exchange 2007 Management Tools”. The update only applies to customers using “Microsoft Exchange 2007 Management Tools” on x86 Windows. The other MS07-026 Exchange Server updates have been published.

(imported comment written by StacyLee)

Tim,

I noticed for these 2 office fixlets:

MS07-025: Vulnerability in Microsoft Office Could Allow Remote Code Execution - Office 2007

MS07-023: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Excel 2007

…they don’t have the usual (administrative/Netowrk/Local install) install after the title. Does this mean starting with Office 2007 the media is no longer needed?

(imported comment written by jessewk)

…they don’t have the usual (administrative/Netowrk/Local install) install after the title. Does this mean starting with Office 2007 the media is no longed needed?

… and they sang and danced all night until the first rays of sun began to light the sky…

(imported comment written by tim_tsai)

Hey Stacy,

Administrative installations are no longer supported in Office 2007. Instead, it has been replaced by a “required local installation source”. So theoretically, office updates will have access to all of the original installation files on its local hard drive, eliminating the need to supply the original installation media.

Another improvement Microsoft appears to have made is in localization. The non-English updates are exactly the same as the English updates, so there is now no need to target the Office language.

So yes, we danced all night while we worked on the rest of the updates. =)

(imported comment written by tim_tsai)

tim_tsai

…BigFix is still working on the MS07-026 update for “Microsoft Exchange 2007 Management Tools”. The update only applies to customers using “Microsoft Exchange 2007 Management Tools” on x86 Windows. The other MS07-026 Exchange Server updates have been published.

Upon further research and testing, we have discovered that contrary to Microsoft documentation, installing only “Exchange Server 2007 Management Tools” on x86 Windows does not introduce the vulnerable files for MS07-026. It is likely that the MS07-026 security update for x86 Windows applies to “Exchange Server 2007 Evaluation Software” instead. We are actively investigating this, and will provide another update once we have more information.

(imported comment written by tim_tsai)

Fixlet content has been released for the MS07-026 32-bit update for Exchange 2007. In our testing the vulnerable files are only present on computers with the “Exchange Server 2007 Evaluation Software” installed on 32-bit Windows.

ID 702604: “MS07-026: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution - Microsoft Exchange 2007“

ID 702610: “MS07-026: CORRUPT PATCH - Microsoft Exchange 2007“