The monthly Microsoft security updates for May 2007 were released on Tuesday May 8th.  Seven security updates were released, addressing 18 separate issues in supported Windows operating systems and related components.  The May bulletin includes MS07-023 through MS07-029 all of which Microsoft rates at a “critical” level.

MS07-023 – Critical
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

MS07-024 – Critical
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)

MS07-025 – Critical
Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

MS07-026 – Critical
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)

MS07-027 – Critical
Cumulative Security Update for Internet Explorer (931768)

MS07-028 – Critical
Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)

MS07-029 – Critical

Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

 

The potential impact to RALS customers are color coded as: 

• Red (immediate threat/urgent action needed)

• Black (action needed/recommended)

• Green (routine process or no action needed)

*** NOTE: Since Microsoft has ended support for Windows NT based systems; the potential for the following vulnerabilities to affect Windows NT based systems was not addressed or reviewed nor was any patch provided by Microsoft for NT systems. ***

---

MS07-023 – Critical

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

• This update addresses several newly discovered, privately reported vulnerabilities in Microsoft Excel.

• This only affects platforms with the affected versions of Microsoft Excel installed.

• This update replaces the update that is included with Microsoft Security Bulletin MS07-002.

•  Recommendation is no action needed for this update as the Microsoft Excel (MS-Office) product is not provided as part of any RALS installation.

MS07-024 – Critical

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)

• This update addresses several newly discovered, privately and publicly reported vulnerabilities in Microsoft Word.

• This only affects platforms with the affected versions of Microsoft Word installed.

• This update replaces the update that is included with Microsoft Security Bulletin MS07-014.

• Recommendation is no action needed for this update as the Microsoft Word (MS-Office) product is not provided as part of any RALS installation.

MS07-025 – Critical

Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

• This update addresses a newly discovered, privately reported vulnerability in Microsoft Office.

• This only affects platforms with the affected versions of Microsoft Office installed.

• This update replaces the update that is included with Microsoft Security Bulletin MS07-015.

• Recommendation is no action needed for this update as the Microsoft Office product is not provided as part of any RALS installation.

MS07-026 – Critical

Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)

• This update addresses several newly discovered, privately reported vulnerabilities in Microsoft Exchange.

• This only affects platforms with the affected versions of Microsoft Exchange installed.

• This update replaces the update that is included with Microsoft Security Bulletin MS06-019 and MS06-029.

• Recommendation is no action needed for this update as the Microsoft Exchange product is not provided as part of any RALS installation.

MS07-027 – Critical

Cumulative Security Update for Internet Explorer (931768)

• This update resolves several newly-discovered publicly and privately reported vulnerabilities in Internet Explorer.

• This affects Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2 systems running IE 5.01, IE 6, and IE 7.

• As a cumulative update to IE this update replaces previous IE cumulative updates including MS07-016.

• An attacker could exploit the vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious HTML content by other means such as email.  These issues can NOT be exploited without user interaction.  The impact of successful exploit could be remote code execution.  If the logged in user had administrative rights, the code execution could take complete control over the system.

• Typical RALS systems do have IE installed and require its use for the web based system components of RALS.  This vulnerability cannot be exploited without user interaction.  The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

• Recommend this update be included with the next regular RALS product test and release cycle.  The expected risk for adverse effects on RALS operations from this update is low.

MS07-028 – Critical

• Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)

• This update addresses a newly discovered, privately reported vulnerability in CAPICOM and BizTalk Server 2004.

• This only affects platforms with the affected versions of CAPICOM or BizTalk Server 2004 installed.

• Recommendation is no action needed for this update as the CAPICOM or BizTalk Server 2004 products are not provided as part of any RALS installation.

MS07-029 – Critical

Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

• This update resolves a publicly disclosed vulnerability in Windows DNS RPC Interface.

• This affects Windows 2000 Server SP4 and Windows Server 2003 SP1 and SP2.     

• RALS systems are not directly at risk since they are not intended to function as DNS servers.

• Recommendation is no action needed for this update as the DNS Server Service is not enabled as part of any RALS installation.