Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security, CISSP) 資深技術支援工程師 台灣微軟技術支援處 五月份資訊安全公告 May 10, 2007

Security Bulletins 7 New Critical updates Non-Security Releases 4 Non-security updates Detection and Deployment Other Information Windows Malicious Software Removal Tool LifeCycle Information References What Will We cover?

Questions and Answers Submit text questions using the “Ask a Question” button

Hot issue updates Svchost.exe high CPU (99%) when doing update scan Resolution: Try to install Windows Update Agent v3 UpdateAgent30-x86.exe UpdateAgent30-x64.exe UpdateAgent30-ia64.exe UpdateAgent30-x86.exe UpdateAgent30-x64.exe UpdateAgent30-ia64.exe Further information can be found at

May 2007 Security Bulletins Overview Bulletin Number Title Maximum Severity Rating Products Affected MS Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) Critical All currently supported versions of Microsoft Excel MS Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) Critical Microsoft Word 2000, 2002, 2003 MS Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) Critical All currently supported versions of Microsoft Office MS Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832) Critical All current versions of Microsoft Exchange MS Cumulative Security Update for Internet Explorer (931768) Critical All current versions Internet Explorer on all currently supported versions of Microsoft Windows MS Vulnerability in CAPICOM Could Allow Remote Code Execution (931906) Critical CAPICOM, BizTalk Server MS Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966) Critical Windows 2000 (server), Windows Server 2003

May 2007 Security Bulletins Severity Summary Bulletin Number Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Excel 2007 MS07-023CriticalImportant Microsoft Word 2000 Microsoft Word 2002 Microsoft Word 2003 Microsoft Word 2007 Microsoft Word 2004 for Mac MS07-024CriticalImportant Not AffectedImportant Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 004 for Mac MS07-025CriticalImportant

May 2007 Security Bulletins Severity Summary (2) Bulletin Number IE5.01 SP4IE6 SP1Internet Explorer 6 & 7 for Windows Server 2003 SP1 & SP2 IE 6.0 for XPSP 2 IE 7.0 For XP SP2 IE 7.0 for Vista MS Critical ModerateCritical Microsoft Exchange 2000 Server Microsoft Exchange Server 2003 SP1& SP2 Microsoft Exchange Server 2007 MS Critical CAPICOMBizTalk Server 2004 MS07-028Critical Windows 2000 SP 4 Windows Server 2003 SP1 & SP2 MS07-029Critical

MS – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical Vulnerabilities Three code execution vulnerabilities due to Excel’s handling of malformed data elements Possible Attack Vectors Attacker crafts specially formed Excel documentAttacker crafts specially formed Excel document Attacker places Excel document on web page or includes in as attachmentAttacker places Excel document on web page or includes in as attachment Attacker convinces user to visit Web site or view and open attachmentAttacker convinces user to visit Web site or view and open attachment Impact of Attack Run code in context of logged on user Mitigating Factors Limits on user’s account limits attacker’s code Limits on user’s account limits attacker’s code Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e- mail. User must open an attachment that is sent in . Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e- mail. User must open an attachment that is sent in . Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Web page. User must click through trust decision dialog box. Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Web page. User must click through trust decision dialog box. –Dialog box does not occur in Office –Dialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated. User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated. Excel 2007: issue affects handling of older Excel file format. File blocking can help protectExcel 2007: issue affects handling of older Excel file format. File blocking can help protect f3b mspx?mfr=truehttp://technet2.microsoft.com/Office/en-us/library/fe3f431c-8d7a-45c8-954f- 1268f3b mspx?mfr=truehttp://technet2.microsoft.com/Office/en-us/library/fe3f431c-8d7a-45c8-954f- 1268f3b mspx?mfr=truehttp://technet2.microsoft.com/Office/en-us/library/fe3f431c-8d7a-45c8-954f- 1268f3b mspx?mfr=true

MS – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical Replaced Updates:MS Publicly Disclosed/ Known Exploits PD: NoPD: No KE: NoKE: No More Information KB:

MS – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical Vulnerabilities Three code execution vulnerabilities due to Word’s handling of malformed data elements Possible Attack Vectors Attacker crafts specially formed Word documentAttacker crafts specially formed Word document Attacker places Word document on web page or includes in as attachmentAttacker places Word document on web page or includes in as attachment Attacker convinces user to visit Web site or view and open attachmentAttacker convinces user to visit Web site or view and open attachment Impact of Attack Run code in context of logged on user Mitigating Factors Limits on user’s account limits attacker’s code Limits on user’s account limits attacker’s code Word 2002 or Word 2003: cannot be exploited automatically through . User must open an attachment that is sent in . Word 2002 or Word 2003: cannot be exploited automatically through . User must open an attachment that is sent in . Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box. Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box. –Dialog box does not occur in Office –Dialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated. User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated.

MS – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical Replaced Updates:MS Publicly Disclosed/ Known Exploits CVE is public disclosed and there are known exploits reported.CVE is public disclosed and there are known exploits reported. Others are not.Others are not. More Information Addresses issue discussed in Microsoft Security Advisory KB:

MS – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical Vulnerability One code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object Possible Attack Vectors Attacker crafts specially formed Office documentAttacker crafts specially formed Office document Attacker places Office document on web page or includes in as attachmentAttacker places Office document on web page or includes in as attachment Attacker convinces user to visit Web site or view and open attachmentAttacker convinces user to visit Web site or view and open attachment Impact of Attack Run code in context of logged on user Mitigating Factors Limits on user’s account limits attacker’s code Limits on user’s account limits attacker’s code Office XP or Office 2003: cannot be exploited automatically through . User must open an attachment that is sent in . Office XP or Office 2003: cannot be exploited automatically through . User must open an attachment that is sent in . Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box. Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box. –Dialog box does not occur in Office –Dialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated User must navigate to attacker’s site manually or through links in or IM. Access to sites cannot be automated

MS – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical Replaced Updates:MS Publicly Disclosed/ Known Exploits PD: NoPD: No KE: NoKE: No More Information

MS – Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832) – Critical Vulnerabilities One remote code execution, one information disclosure and two denial of service vulnerabilities Possible Attack Vectors Attacker creates with specially formed messageAttacker creates with specially formed message Attacker sends to Exchange ServerAttacker sends to Exchange Server Impact of Attack Run code in context of LocalSystem Mitigating Factors None Replaced Updates:MS06-019MS Publicly Disclosed/ Known Exploits PD: No KE: No More Information KB:

MS – Cumulative Security Update for Internet Explorer (931768) – Critical Vulnerabilities Five code execution vulnerabilities Possible Attack Vectors Attacker creates specially formed Web pageAttacker creates specially formed Web page Attacker posts page on Web site or sends page as HTML Attacker posts page on Web site or sends page as HTML Attacker convinces user to visit Web site or view Attacker convinces user to visit Web site or view Impact of Attack Run code in context of logged on user Mitigating Factors Limits on user’s account limits attacker’s code Limits on user’s account limits attacker’s code Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in or IM. Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in or IM. All supported versions of Outlook and Outlook Express open HTML messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e- mail.All supported versions of Outlook and Outlook Express open HTML messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e- mail. Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and vectors on select vulnerabilities. Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and vectors on select vulnerabilities.

MS – Cumulative Security Update for Internet Explorer (931768) – Critical Replaced Updates:MS Publicly Disclosed/ Known Exploits PD:PD: CVE COM 物件例項記憶體損毀弱點, others are not. KE: NoKE: No More Information Sets killbit for the ActiveX control LaunchApp Software available from Acer IncorporatedSets killbit for the ActiveX control LaunchApp Software available from Acer Incorporated See for more informationSee for more informationhttp://global.acer.com/support/patch htm Sets killbit for an ActiveX control developed by Research In Motion (RIM)Sets killbit for an ActiveX control developed by Research In Motion (RIM) See for more informationSee for more informationhttp://na.blackberry.com/eng/ataglance/security/news.jsp KB:

MS – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical Vulnerability A code execution vulnerability in Cryptographic API Component Object Model (CAPICOM) due to input handling in the ActiveX control Possible Attack Vectors Attacker creates specially formed Web pageAttacker creates specially formed Web page Attacker posts page on Web site or sends page as HTML Attacker posts page on Web site or sends page as HTML Attacker convinces user to visit Web site or view Attacker convinces user to visit Web site or view Impact of Attack Run code in context of logged on user Mitigating Factors Limits on user’s account limits attacker’s code Limits on user’s account limits attacker’s code Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in or IM. Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in or IM. All supported versions of Outlook and Outlook Express open HTML messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e- mail.All supported versions of Outlook and Outlook Express open HTML messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e- mail. Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and vectors on select vulnerabilities. Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and vectors on select vulnerabilities. ActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve first-time running of controlActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve first-time running of control

MS – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical Replaced Updates:None Publicly Disclosed/ Known Exploits PD: NoPD: No KE: NoKE: No More Information What is CAPICOM? KB:

MS Situation Overview First obtained partial information of limited attacks on April 6, 2007 Investigation yielded information about new vulnerability on April 11, 2007 Workarounds identified and Security Advisory released on April 12, 2007 Information released to Microsoft Security Alliance (MSRA) partners to help provide broader protections Ongoing monitoring indicated attacks remained limited

MS – Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966) – Critical VulnerabilityCode execution vulnerability in RPC management of DNS Server service Possible Attack Vectors Attacker creates specially formed network packet Attacker sends packet to vulnerable system Impact of AttackRun code in LocalSystem context WorkaroundsBlock TCP/UDP 139/445 and all ports above 1024 Add RpcProtocol key =1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Replaced Updates:None Publicly Disclosed/ Known Exploits PD: Yes KE: Yes More InformationAddresses issue discussed in Microsoft Security Advisory Security update will not undo any workarounds put in place: must be rolled back manually KB:

Detection and Deployment WU/SUS/AUOffice Update & SMS Microsoft Office Inventory Tool for Updates MBSA 1.2 & SMS Security Update Inventory Tool Enterprise Scan Tool & SMS Security Update Scan Tools MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0 MS NAYes (except 2007)Yes (local except 2007) NoYes (except 2000) MS NAYesYes (local)NoYes (except 2000) MS NAYes (except 2007)Yes (local except 2007) NoYes (except 2000) MS NA Yes (except 2007)NoYes MS YesNAYes (except Vista)NoYes MS YesNANoYes MS YesNAYesNoYes

Detection and Deployment Support in Windows Vista Supported Windows Update Microsoft Update MBSA 2.1 (beta, remote only) MBSA (remote only) WSUS SMS 2003 with ITMU V3 Not Supported Software update Services MBSA SMS Security Update Inventory Tool SMS 2003 with ITMU earlier than V3

Other Update Information BulletinRestartHotpatchingUninstallReplaces MS NoNA Yes (Except 2000) MS MS NoNA Yes (Except 2000) MS MS NoNA Yes (Except 2000) MS MS NoNAYes MS06-019, MS MS YesNAYesMS MS NoNAYesNA MS YesNoYesNA

May 2007 Non-Security Updates NUMBERTITLEDistribution Update for Windows XP (KB930916)WU, MU Update for Outlook 2003 Junk Filter (KB934708)MU Update for Outlook 2007 Junk Filter (KB934655)MU Update for PowerPoint 2003 (KB933669)MU Update for Word 2007 (KB934173)MU

25 Windows Malicious Software Removal Tool Adds the ability to remove: – Win32/Renos Available as priority update through Windows Update or Microsoft Update for Windows XP users Offered through WSUS; not offered through SUS 1.0 Also available as a download at

26 Lifecycle Support Information April 2007 – Windows Server 2003 RTM (SP0) July 10, 2007 – Software Update Services 1.0 – SQL Server 2000 Service Pack 3a – SQL Server 2005 RTM (SP0)

Resources Security Bulletins Summary Security Bulletins Search Security Advisories MSRC Blog Notifications TechNet Radio IT Pro Security Newsletter TechNet Security Center TechNet Forum ITPro Detection and deployment guidance for the May 2007 security release

Questions and Answers Submit text questions using the “Ask a Question” button Don’t forget to fill out the survey For upcoming and previously recorded webcasts: Webcast content suggestions: