Well it is Patch Tuesday again and for May we have seven patches each rated Critical by Microsoft. The patches cover vulnerabilities within the Windows Operating System, Internet Explorer and Microsoft Office. 

First up we have MS07-023, this advisory covers three issues within Microsoft Excel, all three issues are remote code execution vulnerabilities in the way Excel handles files. First of these is in how Excel handles BIFF records, the next issue of the three is how Excel handles files with set font values. The final issue of the three issues for MS07-023 is in how Excel handles filter records within a file. These issues affect Microsoft Excel 2000, Excel 2002, Excel 2003, Excel 2007 and Office 2004 for Mac.

Next patch is MS07-024, this advisory covers a series of three vulnerabilities within Microsoft Word. This patch covers three issues within Microsoft word, all allow remote code execution and relate to problems handling files. The first of the three relate to how Word handles array information within a Word document, then we have an issue within the handling of the Word document stream where a specially crafted stream can be used to cause an overflow and execute code on a client. The final of the three word issues covered by MS07-024 relates to a problem with the Rich Text Format parser within word. These issues affect Microsoft Word 2000,  Word 2002, Word 2003, Office 2004 for Mac and Microsoft Works Suites 2004, 2005 and 2006. Office 2007 is not affected by the issues covered by MS07-024.

The next patch is for MS07-025, this covers a vulnerability within various elements of components of the Microsoft Office suite of products. The issues itself relates to the handling of a specially crafted drawing object within certain office application that can be used for remote code execution. The three main elements at risk within the Office applications are Excel, FrontPage and Microsoft Publisher.

The next patch on the list is MS07-026, this patch covers four vulnerabilities within Microsoft Exchange. The first of the four issues is a simple information disclosure issue within Outlook Web Access through Script Injection. Then we have two Denial of Service issues related to the handling of malformed iCal files and handling of specially crafted IMAP commands. Finally we have a remote code execution issue in the handling of MIME encoded email messages. This patch covers Microsoft Exchange 2000, 2003 SP1/SP2 and Exchange 2007.

MS07-027 covers five vulnerabilities within Microsoft Internet Explorer, all versions of Internet Explorer on all Windows platforms are vulnerable. This includes Internet Explorer 7 on the ‘secure’ Windows Vista platform. All the issues covered by this patch can be used for remote code execution through the use of specially crafted web pages.

MS07-028 covers a vulnerability within the Cryptographic API component object model CAPICOM) which is part of Windows and used by Internet Explorer and is also used within BizTalk Server 2004. The issue can allow remote code execution through specially crafted input to the CAPICOM.Certificates ActiveX control.

Finally MS07-029 is a patch that addresses the DNS RPC Interface vulnerability that was disclosed last month and has been widely exploited.

As usual we recommend that you fire up Microsoft Update and get the patches installed as soon as possible. If your running WSUS get it sync’d and the patches approved for roll out before the bad guys start running amok with the exploits that are bound to be made public in the next few days.

Add this page to your favorite Social Bookmarking websites