On 'Patch Tuesday', Microsoft issued six security updates for Windows, Office and the .Net Framework, patching a total of 11 vulnerabilities -- five of them rated critical.
The most serious of the batch is MS07-039, said security analysts who, unlike last month, had no trouble naming that critical update as the one which should be patched first.
"By far, this is the top of the list this month," said Andrew Storms, director of security operations at nCircle Network Security Inc.
MS07-039 patches a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003, the two supported server editions of Microsoft's operating system. The most dangerous of the two is a vulnerability in the way Active Directory validates an LDAP (Lightweight Directory Access Protocol) request. According to Microsoft's write-up, "an attacker who successfully exploited this vulnerability could take complete control of an affected system."
"Definitely at the top of today's list," agreed David Dewey, a researcher with IBM Internet Security Systems' X-Force team. "It's definitely exploitable."
Unlike most vulnerabilities, the Active Directory bug can be exploited without any user interaction, and on Windows 2000 Server, the older of the two operating systems, it can be attacked by an anonymous user. Although Windows Server 2003 may look safer at first glance -- an attacker must have valid credentials to exploit the bug on that edition -- looks can be deceiving, said Tom Cross, another X-Force researcher.
Two of the remaining five bulletins were pegged "critical" by Microsoft, while another two were marked "important." The final update was tagged as "moderate."
MS07-036, which patches three vulnerabilities, two of them judged critical and one of them a zero-day flaw already out in public, repairs bugs in Excel 2000, 2002, 2003 and 2007. Similar vulnerabilities in other Microsoft Office document formats, including those in Word and PowerPoint, have been used by attackers to slip malicious code into corporations. Some of these attacks have been so narrowly targeted that they're launched against just one user at one company.
"[Today's] bulletin includes a fix for a previously disclosed denial-of-service issue from February 2007 which is now billed as having the potential for remote code execution," noted Oliver Friedrichs, director of Symantec's security response group.
As Friedrichs pointed out, Microsoft characterised all three bugs patched by MS07-036 as having a "remote code execution" impact, meaning that hackers could inject their own malware into a PC after exploiting the Excel flaws.
The third critical update, MS07-040, plugs three holes in the .Net Framework, the primary Windows runtime environment called on by developers. Notably, all three vulnerabilities were previewed during a sneak peek at the Syscan'07 security conference last week in Singapore.
But the patches may be a ton of trouble to corporate IT managers, said Storms, because the .Net Framework is so widely used by corporate developers of in-house software. "Not only will [companies] have to run QA on the patches, they'll have to run QA on the code that runs on .Net," said Storms. The fixes in MS07-040 apply to all but Version 3.x of .Net Framework, adding additional complexity to in-enterprise application testing.
Of the remaining security updates, one fixes a flaw in Publisher 2007, another patches Internet Information Services 5.1 on Windows XP Professional SP2, and the third quashes a bug in Windows Vista's bundled firewall.
That last, although rated "moderate," second-from-the-bottom in Microsoft's four-step severity rating system, is worth some reflection, said Symantec's Friedrichs.
As usual, Microsoft's monthly updates have been posted to Microsoft Update and Windows Update services, and they can also be retrieved through Windows Server Update Services.