Microsoft curates Vista, Office 2007 and IE7

Redmond (USA) – Microsoft has released seven new security bulletins, all classified as “critical”, which address 19 security vulnerabilities in Windows, Internet Explorer, Office, Exchange, Cryptographic API Component Object Model (CAPICOM) and BizTalk.

The bulletin MS07-029 fixes a zero-day flaw in the RPC interface of the Windows 2000 Server and Windows Server 2003 DNS service. first worm capable of exploiting it. For details on the vulnerability, see the news published last month.

There are seven security bugs fixed in Office in all, and they are described in three different bulletins. L’ MS07-023 it concerns three flaws in Excel 2000, 2002, 2003 (including Viewer), 2007 and 2004 for Mac, considered “critical” in Office 2000 and “important” in the other editions of the suite. In all three cases, an attacker could exploit them to create files that, when opened with a vulnerable version of Excel, execute code with the same privileges as the local user.

L’ MS07-024 instead it concerns three flaws in Word 2000, 2002, 2003 (including Viewer), 2004 for Mac, and Works Suite 2004/2005/2006. Also in this case the problem is considered of the greatest seriousness in Office 2000 and “important” in the other cases: immune to any Word 2007 problem. A cracker could create malformed documents which, once opened, cause the execution of malicious code.

The latest Office bulletin is the MS07-025 , which fixes a vulnerability contained in the 2000, 2002, 2003 and 2007 versions of Excel, FrontPage, Publisher, Office SharePoint Designer 2007 and Expression Web. The problem is due to the incorrect handling of a malformed graphic object which, if inserted into the inside a malicious file, it can cause code execution. The vulnerability is considered “critical” in Office 2000 and “important” in other software affected by the problem.

The bulletin MS07-027 , which according to BigM “fixes several recently discovered vulnerabilities and reported both publicly and privately to Microsoft,” fixes five Internet flaws 5.x, 6, and 7 (including the version built into Windows Vista). Depending on the version of the browser and the version of Windows, the severity is more or less serious: in particular, Windows Server 2003 is the platform considered by Microsoft to be more difficult to “pierce”. All vulnerabilities can be exploited to execute code remotely.

Four other flaws were sealed by Microsoft in the 2000, 2003 and 2007 versions of Exchange, and except one, which was considered “critical”, were classified as “important”. In two cases the problems could be exploited to launch denial of service attacks, in one case to intercept personal information and in the latter case to execute code remotely.

The last “critical” vulnerability, described in MS07-028 bulletin, concerns CAPICOM, GDI + redistributable component of Microsoft Platform SDK CAPICOM and BizTalk Server 2004.

Microsoft has posted a summary of the vulnerabilities here, while the Internet Storm Center provides its usual summary table here.

Microsoft has also made it available a new update for Windows Vista related to the known compatibility issue between the Safely Remove Hardware feature of Vista and iPod. The update, which Microsoft’s Nick White qualifies as “definitive” (a first update had already been released at the end of March), can be downloaded immediately from here or, starting May 22, through Windows Update.