Seven critical security bulletins. That's the tally in Microsoft's May edition of Patch Tuesday. The release fixes 19 vulnerabilities in Windows, Office, and Internet Explorer. Seven of the patched vulnerabilities could lead to code execution attacks against Word, Office, and Excel, according to the Microsoft advisories.
Three of the seven security bulletins address bugs in Microsoft Office, while others plug holes in Windows, Microsoft Exchange, and Internet Explorer. The remaining two patches fix a vulnerability in an ActiveX control called the Cryptographic API Component Object Model (Capicom), and a bug in BizTalk, a Microsoft platform for application integration. Of the 19 vulnerabilities, two are found within Vista, six more in older versions of Internet Explorer, and five in the latest version of Redmond's browser, Internet Explorer 7.
"Of particular concern is the large number of Microsoft Office, Word, Excel, and Internet Explorer vulnerabilities being patched today," said Dave Marcus, security research and communications manager at McAfee Avert Labs. "These applications are the most frequently targeted applications by malware writers, so we recommend that all customers evaluate their security coverage and policies to insure they have adequate protection in place."
The Zero-Day Vulnerability
While concern is one thing, significant impact is another. Security researchers agree that the most dangerous vulnerability for businesses is covered by MS-07026, an update to fix a critical Microsoft Exchange vulnerability that can be exploited with a specially crafted e-mail to enable remote code execution on a user's system.
"This vulnerability could be used to drop malware, spam, and can also be used for targeted attacks where a hacker can drop a back door Trojan on the site," said Paul Zimski, senior director of market and product strategy for PatchLink. "Since e-mail is at the core of proprietary information for an organization, this is particularly powerful. If a hacker exploits this vulnerability, they have the opportunity to control the ebb and flow of all day-to-day business communications."
This vulnerability is similar to MS-07029, the DNS vulnerability, in terms of its impact to critical enterprise infrastructure, according to Minoo Hamilton, senior security researcher for nCircle.
"There are two key issues here. The first is that this vulnerability can take Exchange users by surprise if they have a preview pane operating," he noted. In this case end users don't actually have to open an e-mail or click on an attachment, he said, which makes this vulnerability more dangerous than other Office application vulnerabilities. The second issue, he continued, is that Exchange servers are difficult to patch and I.T. teams might need to wait for scheduled downtime. If so, the bug could leave businesses vulnerable for an extended period.
Prioritizing the Patching
Security researchers agree that in light of these risks, patches that fix bugs that have a client-side impact should be prioritized. For example, because the Office vulnerability is related to Web applications, such as Internet Explorer, these patches are critical and should be prioritized and deployed quickly.
Among the high-priority patches, then, are MS07-023 for Excel, MS07-024 for Microsoft Word, MS07-026 for Exchange, and of course the highly anticipated MS07-029 update that patches the DNS vulnerability.
"An interesting trend in Tuesday's release is that both Vista and other 2007 Microsoft software, including Exchange and Office, continue to come up vulnerable, demonstrating that the security development lifecycle is not infallible," said Amol Sarwate, director of the vulnerability research lab at Qualys.