Microsoft fixes a dozen flaws

Redmond (USA) – Yesterday evening Microsoft released six security bulletins, three of which were classified as critical, two as important and one as moderate. Overall, there are 11 corrected vulnerabilities, affecting Office, Active Directory, MS.NET Framework, Microsoft Internet Information Services (IIS) and the Windows Vista firewall.

The three “critical” bulletins they are MS07-036, which describes several flaws in Excel 2000, 2002, 2003 and 2007 and in the Office Compatibility Pack 2007; MS07-039, concerning the Windows Active Directory service of Windows 2000 and 2003; and the MS07-040, which affects versions 1.x and 2.0 of the MS.NET Framework. All the vulnerabilities described in these bulletins are potentially exploitable by a cracker to execute code remotely.

The two “important” bills they are the MS07-037, related to Office 2007, and the MS07-041, related to IIS 5.1 for Windows XP. Even in these two cases, the risk is that an attacker exploits flaws to execute code remotely, but such an attack is considered by Microsoft to be more difficult or less impactful than previous vulnerabilities.

The latest bulletin , the MS07-038, finally describes a “moderate” weakness of the firewall built into Windows Vista that “could allow unsolicited network traffic to access a network interface”. An attacker could take advantage of the bug to “gather information about the vulnerable host”.

A traditional summary table from Microsoft’s July bulletins was published here by the Internet Storm Center.