Patch Tuesday for June 2007

Microsoft released six security patches today. Four of them were rated critical, one important and one moderate. There are patches for all supported desktop OS platforms, Internet Explorer, a couple mail apps and for a couple versions of Visio. There aren’t any Office patches.

The critical desktop patches are:

MS07-031 for Windows XP SP2, Windows XP x64 and Windows XP x64 SP2. It’s rated as “important” for Windows 2000 SP4. Earlier versions of Windows 2000 and XP may be affected but aren’t supported by Microsoft. On Windows XP this vulnerability can allow remote code execution. On other OS’s the vulnerability results in a denial of service attack (such as a system crash). The user must visit a malicious website to be exploited.

MS07-033 is the cumulative patch for all versions of Internet Explorer and is critical on all desktop OS’s that run it. Since this is a cumulative update it carries forward any baggage of earlier issues (like changes in ActiveX control handling). As usual, the most serious vulnerability impact is remote code execution. Six new vulnerabilities are identified in the bulletin some of which allow remote code execution.

MS07-034 is for Windows Mail on Vista (including Vista x64). It is rated “important” for Outlook Express 6 on all versions of Windows XP. There are five different vulnerabilities identified. On XP they may disclose information, on Vista they allow remote code execution.

MS07-035 is for all desktop OS’s except Vista. It’s not needed on Vista. (Obligatory MS dig – proves Vista is “more secure”.) This allows remote code execution.

The two other patches are:

MS07-030 is for Visio 2002 SP2 and Visio 2003 SP2 and is rated as “important”. The vulnerability will allow remote code execution although it cannot be exploited automatically. The user must visit a malicious website or open a malicious email attachment.

MS07-032 is for Windows Vista (including x64) and is rated “moderate”. This could result in information disclosure, including some passwords which would allow higher level access. This does require to have valid logon credentials for the PC.

I applied the appropriate patches to Windows XP SP2 without incident. I don’t use the Mail app of Vista so can’t say if it affects the app in some way. The bulletins don’t list any known issues.

The patches are released through Windows Update and are available for individual download.