Internet Security Systems - AlertCon(TM)

January Microsoft Updates

Posted by Tom Cross on January 09, 2007 at 3:26 PM EST.

Its the second Tuesday again, but this month Microsoft only has 4 bulletins for us, covering 10 vulnerabilities. That’s a good thing too, because I think I still have a headache from New Years Eve; or maybe it’s due to last week's PDF XSS vulnerability, which IBM X-force is also providing coverage for in our security content updates.

The most critical bulletin this month is MS07-004, which covers an integer overflow vulnerability in the Vector Markup Language (VML) support in Windows. This vulnerability is currently being exploited in the wild. ISS discovered an exploit in the wild against a different vulnerability in the same library back in September. You might want to consider following the advice we offered at that time; simply unregister the library. VML has been consumed by later Internet standards and is not widely used by legitimate websites. This may not be the last vulnerability disclosed in this library, and these vulnerabilities can be exploited by email worms.  

Speaking of email worms, MS07-003, covers two remote code execution vulnerabilities and one denial of service issue in Outlook. The code execution issues involve iCalendar compatibility and "Office Saved Search" or .oss files. Fortunately, the details of these vulnerabilities have not been publicly disclosed. The iCalendar issue in particular could result in an automatically propagating email worm. Various wormable vulnerabilities that were disclosed in Microsoft products last year haven't resulted in outbreaks so far. We hope this trend continues into 2007, otherwise I'm going to need more Aspirin.

5 vulnerabilities in Excel are covered by MS07-002. They all result in remote code execution due to errors in file parsing that cause buffer overflows on the heap. They were all disclosed by various security research teams, and there are no exploits or vulnerability details in the wild.

Finally, MS07-001 covers an off-by-one vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker that can result in remote code execution. This vulnerability will not impact hosts that do not have the Office Brazilian Proofing Tools installed. Furthermore, a DOS POC for this vulnerability has been publicly available since April and we're not aware of any exploitation, although it’s not out of the question that underground elements in Brazil will give this more attention now that Microsoft has confirmed that it can result in code execution. Unfortunately, Brazil has a large community of criminals who use software vulnerabilities to steal money from online financial institutions.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.