Rather than repeating all the patches I’ll direct you to news.com which has a good summary of the patches along with links to the individual bulletins. The patches are available through automatic updates or individual downloads.

Happy patching and good luck.

Thirteen components are updated. Click the thumbnail to see the component list or visit the Apple Support Page for the complete details. Of special note is the Samba vulnerability that Apple has finally patched. Samba is an open source windows file sharing application that is bundled with OS X. A critical vulnerability was found in late may and almost immediately patched by the Samba team. Apple has released several security updates since then but none have included the Samba patch, until now. Samba is off by default but is enabled when turning on Windows sharing in System Preference -> Sharing.

The update is for both Intel and PPC based Macs running OS X 10.3.9 or OS X 10.4.10 including the standard OS and the Server OS. It’s available through Apple’s built-in software update service or as a standalone download. A computer restart is needed after applying the patch.

Apple also released Airport Extreme Update 2007-004. Details are lacking and Apple’s only comment is:

This update is recommended for all Intel-based MacBook, MacBook Pro, and Mac mini computers and improves the reliability of AirPort connections.

Two of the patches affect Microsoft Office software:

MS07-036 is rated critical and affects all versions of Microsoft Excel from Excel 2000 on up. It also applies to the Office 2007 compatibility pack. It’s only rated critical for Excel 2000. Microsoft rates the other versions as “important”. The bulletin does not list any known issues.

MS07-037 is rated important and affects Microsoft Office Publisher 2007 only. The bulletin does not list any known issues.

One patch affects Vista only:

MS07-038 is rated moderate and affects Windows Vista, both 32-bit and 64-bit versions. This patches a vulnerability in the Windows Vista firewall that could allow an attacker to gather information about a host. There are no known issues listed in the bulletin.

One patch affects .NET:

MS07-040 is rated critical and affects .NET versions 1.x and 2.x, version 3.x is not affected. All operating systems are affected if they have a vulnerable version of .NET installed. There are no known issues listed in the bulletin.

The final desktop patch, MS-07-041, is rated important and affects Microsoft Internet Information Server (IIS) when running on Windows XP SP2. Earlier versions of Windows XP may be affected but Microsoft only supports service pack 2. IIS is not installed by default on Windows XP.

The server patch is is MS07-039 and is a vulnerability in Active Directory that’s rated critical.

The patches are available through automatic update or can be downloaded individually from Microsoft.

One is in Webcore and can allow cross-site scripting attacks.

The second patched vulnerability was in Webkit and could allow remote code execution.

The update is available through Software Update or as a standalone download and requires a reboot.

This security vulnerability is described by Apple as:

…the reception of specially crafted IPv6 packets may lead to a reduction in network bandwidth.

This is a relatively low risk vulnerability as it doesn’t include a potential loss of data and doesn’t allow the installation of malicious software. The update also includes security patches released since 10.4.9.

The update is available through the Software Update feature of OS X or as a standalone download. The Intel version of the update is a 49MB download when done through Software Update (click the thumbnail to see notification full size). The update is also available as a standalone installer in four forms. There are downloads for the Power PC (PPC) and Intel CPUs. Then each CPU has a “delta” update which requires that 10.4.9 already be applied and a much larger “combo” update which includes all previous updates to OS X 10.4.

I applied the update to two Intel Macs without incident. Like previous updates the first reboot after the patch is significantly longer than usual.

The four critical desktop patches are:

MS07-031 for Windows XP SP2, Windows XP x64 and Windows XP x64 SP2. It’s rated as “important” for Windows 2000 SP4. Earlier versions of Windows 2000 and XP may be affected but aren’t supported by Microsoft. On Windows XP this vulnerability can allow remote code execution. On other OS’s the vulnerability results in a denial of service attack (such as a system crash). The user must visit a malicious website to be exploited.

MS07-033 is the cumulative patch for all versions of Internet Explorer and is critical on all desktop OS’s that run it. Since this is a cumulative update it carries forward any baggage of earlier issues (like changes in ActiveX control handling). As usual, the most serious vulnerability impact is remote code execution. Six new vulnerabilities are identified in the bulletin some of which allow remote code execution.

MS07-034 is for Windows Mail on Vista (including Vista x64). It is rated “important” for Outlook Express 6 on all versions of Windows XP. There are five different vulnerabilities identified. On XP they may disclose information, on Vista they allow remote code execution.

MS07-035 is for all desktop OS’s except Vista. It’s not needed on Vista. This allows remote code execution.

The patches are released through Windows Update and are available for individual download.

According to the Apple notification it contains updates to the following components:

• bind
• CarbonCore
• CoreGraphics
• crontabs
• fetchmail
• file
• iChat
• mDNSResponder
• PPP
• ruby
• screen
• texinfo
• VPN

The update is for both Intel and PPC macs.

MS07-023 is for Office, specifically Microsoft Excel. All versions from 2000-2007 are affected as-is the Excel viewers and compatibility packs. Office 2004 for Mac is also vulnerable and needs updating.

MS07-024 is also for Office, this time it’s for Word. The patch is NOT needed for the latest version, Word 2007. But it’s needed for all versions from 2000-2003 and Office 2004 for Mac. The Word viewer also needs updating, Microsoft Works 2004, 2005 and 2006 are also vulnerable and needs updating.

MS07-025 is another Office patch. and affects every version from 2000-2007 along with all the viewers and compatibility packs. Office 2004 for Mac is also affected and needs updating.

MS07-027 is the cumulative update for Internet Explorer. All supported versions of Internet Explorer on all supported operating systems are affected and needs to be updated.

MS07-028 is a patch for CAPCOM which is the “Cryptographic API Component Object Model”. CAPCOM is an Active X control that allows scriptors (VBS, ASP, etc…) he ability to encrypt data. It’s part of the Biztalk servers but may be installed by other software. My Windows XP SP2 machine needed the update, other systems may not need it.

You can get the updates through Windows Update. The links above will also bring you to the bulletins at the Microsoft site. I applied the updates to Windows XP SP2 and Vista without a problem. I don’t run any versions of Office at home so I can’t try those updates. There aren’t any compatibility warnings in the bulletins.

They also address six other vulnerabilities in the Graphics Rendering Engine (GDI), although none are rated critical.

They make a note of an known issue with the Realtek HD Audio Control Panel (Rthdcpl.exe) on Windows XP SP2 which is documented here.

The Microsoft bulletin for “home users” is here.

The Microsoft bulletin fot “technical users” is here.

As usual, the patch will be in Windows update.