In my mind, I compare the "Microsoft Tuesday" monster to the sea monster in Ray Bradbury's story "The Fog Horn" from my high school English textbook. This monster lurks its head the second Tuesday of every month. Here is a relevant excerpt from the story (spoiler alert):
-
"It's a dinosaur of some sort!" I crouched down, holding to the stair rail.
"Yes, one of the tribe."
"But they died out!"
"No, only hid away in the Deeps, Deep, deep down in the deepest Deeps. Isn't that a word now, Johnny, a real word, it says so much: the Deeps. There's all the coldness and darkness and deepness in the world in a word like that."
"What do we do?"
"Do? We got our job, we can't leave. besides, we're safer here than in any boat trying to get to land. That thing's as big as a destroyer and almost as swift."
"But here, why does it come here?"
The next moment I had my answer.
The Fog Horn blew.
And the monster answered.
For this month's bulletins, two of the patched flaws were discovered through our Zero Day Initiative (ZDI). Here is how I recommend prioritizing your patches, starting first with the server-side issues:
1. MS05-029: Vulnerability in DNS Could Allow Remote Code Execution (Rating: Critical)
This patch protects from a 0-day flaw in the Microsoft DNS server that came to light 3 weeks ago. the vulnerability allows an attacker to completely compromise a DNS server. In the past, DNS compromises have been used to re-direct users to malicious webpages that in turn exploit browser vulnerabilities to compromise systems on a large scale. Multiple exploits have been posted publicly. Hence, this patch should be applied as soon as possible.
2. MS07-026: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (Rating: Critical)
This patch protects from a remotely exploitable remote code execution vulnerability in the Exchange server. Moreover, no authentication is required to exploit this flaw. Exploit code for similar vulnerabilities is readily available. So, I pretty much expect the exploit code for this flaw to get posted soon. The flaw can be attacked via a specially crafted e-mail. Hence, the vulnerability may be used for targeted attacks that are becoming common and are on a rise. Hence, enterprises using Exchange should patch this on a priority basis.
The remaining patches pertain to vulnerabilities that can be exploited when a user visits a malicious webpage or opens a specially-crafted Office file attachment like Excel.
3. MS07-027: Cumulative Security Update for Internet Explorer (Rating: Critical)
Zero Day Initiative advisory: ZDI-07-027
Internet Explorer still remains the popular browser. Exploitation of IE flaws on a large scale is an event that is almost taken as granted. Over the past few years, numerous exploits have been posted on mailing lists. So, all in all, a patch that deserves to be applied to prevent your users from infections through a newer route.
4. MS07-023: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Rating: Critical)
Zero Day Initiative advisory: ZDI-07-026
5. MS07-024: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Rating: Critical)
6. MS07-025: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (Rating: Critical)
Microsoft and the fuzzing experts around the globe are still finding remote code execution vulnerabilities in the Office file format. These flaws have been used for targeted attacks in the past against large organizations.
I have recently read some reports about Microsoft trying to slowly hug the open-source concept. If such a thing were to happen for the usual file formats we all use, I think, in a short span it could lead to rapid bug finding and fixing.
7. MS07-028: Vulnerability in CAPICOM and BizTalk could Allow Remote Code Execution (Rating: Critical)
And, finally, if your systems have Capicom.dll installed, apply this update. The update patches a buffer overflow in the Capcicom ActiveX control.
