The monthly Microsoft security updates for June 2007 were released on Tuesday June 13th.  Six security updates were released, addressing 15 separate issues in supported Windows operating systems and related components.  The June bulletin includes MS07-030 which Microsoft rates an “important” level; MS07-031, and MS07-033 through MS07-035 which are rated at a “critical” level; and MS07-032 which Microsoft rates at a “moderate” level.

MS07-030 – Important

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)

MS07-031 – Critical

Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)

 

MS07-032 – Moderate

Vulnerability in Windows Vista Could Allow Information Disclosure (931213)

MS07-033 – Critical

Cumulative Security Update for Internet Explorer (933566)

MS07-034 – Critical

Cumulative Security Update for Outlook Express and Windows Mail (929123)

MS07-035 – Critical

Vulnerability in Win 32 API Could Allow Remote Code Execution (935839)

 

The potential impact to RALS customers are color coded as: 

• Red (immediate threat/urgent action needed)

• Black (action needed/recommended)

• Green (routine process or no action needed)

*** NOTE: Since Microsoft has ended support for Windows NT based systems; the potential for the following vulnerabilities to affect Windows NT based systems was not addressed or reviewed nor was any patch provided by Microsoft for NT systems. ***

---

MS07-030 – Important

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)

• This update addresses two newly discovered, privately reported vulnerabilities in Microsoft Visio 2002 SP2 and Visio 2003 SP2.

• This only affects platforms with the affected versions of Microsoft Visio installed.

• Recommendation is no action needed for this update as the Microsoft Visio (MS-Office) product is not provided as part of any RALS installation.

MS07-031 – Critical

Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)

• This update resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows. 

• This affects Windows 2000 Server SP4; Windows XP SP2; and Windows Server 2003 SP1 and SP2.

• In a Web-based attack scenario a compromised Web site could accept or host user-provided content or advertisements which could contain specially crafted content that could exploit this vulnerability.  Attempts to exploit this vulnerability would require user interaction.  An attacker would have no way to force users to visit these Web sites.

• Typical RALS systems do have IE installed and require its use for the web based system components of RALS.  This vulnerability cannot be exploited without user interaction.  The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

• Recommend this update be included with the next regular RALS product test and release cycle.  The expected risk for adverse effects on RALS operations from this update is low.

MS07-032 – Moderate

Vulnerability in Windows Vista Could Allow Information Disclosure (931213)

• This update resolves a privately reported vulnerability that could allow non-privileged users to access local user information data stores including administrative passwords.

• This only affects the Microsoft Windows Vista operating system. Recommendation is no action needed for this update as the Microsoft Windows Vista operating system is not provided as part of any RALS installation.

MS07-033 – Critical

Cumulative Security Update for Internet Explorer (933566)

• This update resolves several newly-discovered publicly and privately reported vulnerabilities in Internet Explorer.

• This affects Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2 systems running IE 5.01, IE 6, and IE 7.

• As a cumulative update to IE this update replaces previous IE cumulative updates including MS07-027.    

• An attacker could exploit the vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious HTML content by other means such as email.  These issues can NOT be exploited without user interaction.  The impact of successful exploit could be remote code execution.  If the logged in user had administrative rights, the code execution could take complete control over the system.

• Typical RALS systems do have IE installed and require its use for the web based system components of RALS.  This vulnerability cannot be exploited without user interaction.  The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

• Recommend this update be included with the next regular RALS product test and release cycle.  The expected risk for adverse effects on RALS operations from this update is low.

MS07-034 – Critical

Cumulative Security Update for Outlook Express and Windows Mail (929123)

• This update resolves two privately reported and two publicly disclosed vulnerabilities for Outlook Express and Windows Mail. 

• This affects Microsoft Outlook Express 6 on Windows XP SP2 and Windows Server 2003 SP1 and SP2.  (Outlook Express 5.5 SP2 and Outlook Express 6 SP1 on Windows 2000 SP4 systems are unaffected).

• This update replaces previous updates MS06-016, MS06-043, and MS06-076. 

• An attacker could exploit the vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious file via email.  These issues can NOT be exploited without user interaction.  The impact of successful exploit could be information disclosure.

• While Outlook Express may be installed on RALS IMS systems for the purpose of emailing reports, it is not configured to receive email.  This vulnerability cannot be exploited without user interaction.  The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

• Recommend this update be included with the next regular RALS product test and release cycle.  The expected risk for adverse effects on RALS operations from this update is low.

MS07-035 – Critical

• Vulnerability in Win 32 API Could Allow Remote Code Execution (935839)

• This update resolves a privately reported vulnerability in a Win32 API. This vulnerability could allow remote code execution or elevation of privilege if the affected API is used locally by a specially crafted application.

• This affects Windows 2000 Server SP4; Windows XP SP2; and Windows Server 2003 SP1 and SP2.

• This update replaces previous updates MS06-051.

• An attacker could exploit the vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious HTML content by other means such as email.  These issues can NOT be exploited without user interaction.  An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• Recommend this update be included with the next regular RALS product test and release cycle.  The expected risk for adverse effects on RALS operations from this update is low.