Two of the patches affect Microsoft Office software:

MS07-036 is rated critical and affects all versions of Microsoft Excel from Excel 2000 on up. It also applies to the Office 2007 compatibility pack. It’s only rated critical for Excel 2000. Microsoft rates the other versions as “important”. The bulletin does not list any known issues.

MS07-037 is rated important and affects Microsoft Office Publisher 2007 only. The bulletin does not list any known issues.

One patch affects Vista only:

MS07-038 is rated moderate and affects Windows Vista, both 32-bit and 64-bit versions. This patches a vulnerability in the Windows Vista firewall that could allow an attacker to gather information about a host. There are no known issues listed in the bulletin.

One patch affects .NET:

MS07-040 is rated critical and affects .NET versions 1.x and 2.x, version 3.x is not affected. All operating systems are affected if they have a vulnerable version of .NET installed. There are no known issues listed in the bulletin.

The final desktop patch, MS-07-041, is rated important and affects Microsoft Internet Information Server (IIS) when running on Windows XP SP2. Earlier versions of Windows XP may be affected but Microsoft only supports service pack 2. IIS is not installed by default on Windows XP.

The server patch is is MS07-039 and is a vulnerability in Active Directory that’s rated critical.

The patches are available through automatic update or can be downloaded individually from Microsoft.

The four critical desktop patches are:

MS07-031 for Windows XP SP2, Windows XP x64 and Windows XP x64 SP2. It’s rated as “important” for Windows 2000 SP4. Earlier versions of Windows 2000 and XP may be affected but aren’t supported by Microsoft. On Windows XP this vulnerability can allow remote code execution. On other OS’s the vulnerability results in a denial of service attack (such as a system crash). The user must visit a malicious website to be exploited.

MS07-033 is the cumulative patch for all versions of Internet Explorer and is critical on all desktop OS’s that run it. Since this is a cumulative update it carries forward any baggage of earlier issues (like changes in ActiveX control handling). As usual, the most serious vulnerability impact is remote code execution. Six new vulnerabilities are identified in the bulletin some of which allow remote code execution.

MS07-034 is for Windows Mail on Vista (including Vista x64). It is rated “important” for Outlook Express 6 on all versions of Windows XP. There are five different vulnerabilities identified. On XP they may disclose information, on Vista they allow remote code execution.

MS07-035 is for all desktop OS’s except Vista. It’s not needed on Vista. This allows remote code execution.

The patches are released through Windows Update and are available for individual download.

Some took the headline view when they posted about the story and gave the impression that Windows Update was vulnerable. It makes good headlines to say Windows Update can be exploited. Plus Symantec has been complaining about Microsoft getting into the security software business.

Windows Update itself isn’t vulnerable. The trojan has to get on the PC in some other way, such as email. Then, once it’s on the PC it modifies BITS. Since BITS is on every Windows XP SP2 and Vista PC it’s a known target so it’s a good selection to attack. But any application which is allowed through the firewall could be exploited in the same way.

It’s not a reason to stop using Windows Update. The patches are needed to keep the exploits from getting on the PC in the first place. Once an piece of malware is on the PC it’s difficult to keep it from changing any system resources it has access to. Hopefully Microsoft will come up with a way to make Windows Update more secure despite this and they should do all they can since it’s part of the operating system. But keeping malware off the PC in the first place is the main problem. Once malware is on the PC is the biggest concern really that BITS can then be exploited so the malware can update itself?

MS07-023 is for Office, specifically Microsoft Excel. All versions from 2000-2007 are affected as-is the Excel viewers and compatibility packs. Office 2004 for Mac is also vulnerable and needs updating.

MS07-024 is also for Office, this time it’s for Word. The patch is NOT needed for the latest version, Word 2007. But it’s needed for all versions from 2000-2003 and Office 2004 for Mac. The Word viewer also needs updating, Microsoft Works 2004, 2005 and 2006 are also vulnerable and needs updating.

MS07-025 is another Office patch. and affects every version from 2000-2007 along with all the viewers and compatibility packs. Office 2004 for Mac is also affected and needs updating.

MS07-027 is the cumulative update for Internet Explorer. All supported versions of Internet Explorer on all supported operating systems are affected and needs to be updated.

MS07-028 is a patch for CAPCOM which is the “Cryptographic API Component Object Model”. CAPCOM is an Active X control that allows scriptors (VBS, ASP, etc…) he ability to encrypt data. It’s part of the Biztalk servers but may be installed by other software. My Windows XP SP2 machine needed the update, other systems may not need it.

You can get the updates through Windows Update. The links above will also bring you to the bulletins at the Microsoft site. I applied the updates to Windows XP SP2 and Vista without a problem. I don’t run any versions of Office at home so I can’t try those updates. There aren’t any compatibility warnings in the bulletins.

From the article…

“We are looking closely at the methodology and results of the test to ensure that Windows Live OneCare performs better in future tests,” the Microsoft spokesperson told us, “and, most importantly, as part of our ongoing work to continually enhance Windows Live OneCare to ensure the highest level of protection and service that we can provide our customers.”  

BetaNews also reported that McAfee’s VirusScan Enterprise 8.1 flunked the test.

The February testing was done on Windows Vista. Virus Bulletin is a respected virus test organization. The test agains in the wild viruses. Their test procedure is documented here. As for software that past the test, Beta news reported they were…

…both CA’s Home and eTrust (enterprise) products, Fortinet’s FortiClient, F-Secure Anti-Virus, Kaspersky Anti-Virus 6.0 (which was added to the ZoneAlarm suite last November), Sophos Anti-Virus 6.5, and Symantec AntiVirus 10.2

They also address six other vulnerabilities in the Graphics Rendering Engine (GDI), although none are rated critical.

They make a note of an known issue with the Realtek HD Audio Control Panel (Rthdcpl.exe) on Windows XP SP2 which is documented here.

The Microsoft bulletin for “home users” is here.

The Microsoft bulletin fot “technical users” is here.

As usual, the patch will be in Windows update.

The only real protection from this vulnerability would be for Microsoft to release a patch. The next “patch Tuesday” is April 10th. [Updated 4/2: Microsoft has said they will release a patch on Tuesday 4/3]

There’s also a significant impact within e-mail. The microsoft security bulliten mentions e-mail as a method to exploit the vulnerabilty.

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

Even previewing the mail message in an preview pane could infect the machine. (See below for exceptions to this)

Microsofts recommendation for e-mail is: 

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. 

• Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.

• Pictures become attachments so that they are not lost.

• Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Microsoft makes the usual recommendations of not reading e-mail from a source you don’t know. But addresses can be spoofed or faked so any vulnerabity like this (where just viewing the message could infect the pc is a problem). Turnng off the preview pane will prevent accidents. There’s really isn’t any protection until Microsoft releases a patch.

Here’s a video of what happens when the vulnerability is used for a DoS attack on a PC (video via UneasySilence):