The May update from Microsoft is covered across 7 bulletins. All of the bulletins address remote code execution vulnerabilities, thus are all rated as critical — Microsoft’s most severe rating.
MSO7-023 through MSO7-025 cover 7 different vulnerabilities found in Microsoft Office, specifically in various versions of Word, Excel and the Microsoft Office System. All but one of the vulnerabilities, if exploited, could result in remote code execution. Malicious hackers regularly resort to using malformed Office documents to launch attacks. It is therefore especially important to not open unsolicited email, especially if they include MS-Office Word, Excel or Powerpoint attachments.
MS07-026 bulletin covers critical vulnerabilities found in Microsoft Exchange Server 2003 SP1 and SP2, and Microsoft Exchange Server 2003. There are 4 vulnerabilities patched — two denial of service conditions, one remote code execution, and one “information disclosure” vulnerability. The latter vulnerability we will certainly hear more of in the future, as malicious hackers continue to target personal information in ID theft, banking, online gaming and other related Internet crimes.
MS07-027 is a cumulative update for Internet Explorer 7, a fixture in many Windows PCs, including the newly-released Vista. The bulletin includes fixes for at least five remote code execution vulnerabilities. Internet Explorer 7, being a very widely used web browser, makes any one of these vulnerabilities an attractive target for exploit writers. If the potential exploit is wormed, it would possibly be big trouble for many average home PC users.
MS07-028 includes a CAPICOM.Certificates bug fix for the lesser-known Microsoft CAPICOM and Biztalk software.
We will likely hear more about MS07-029 — a patch addressing a vulnerability in the Windows DNS RPC Interface. In this case Windows Vista is safe from attack. This is good news for Microsoft, but little comfort for anybody who has Windows 2000 Server, 2003 Server SP1 and SP2. Once again it is the infamous stack-based buffer overflow vulnerability. A buffer overflow, in combination with DNS will be of great interest to malicious hackers. System administrators are advised to apply this patch immediately.
Microsoft will host a one-hour long webcast to briefly cover the threats addressed by this month’s bulletins on May 9th at 11am Pacific Time.