Microsoft Patch Tuesday for July 2007

It’s the second Tuesday of July and that means patches from Microsoft. This month brings six patches, three rated critical, two important, and one moderate. Only five patches are for desktop software and Windows Vista also gets its own unique patch although it’s the one rated moderate. Of these, only the .NET patches and the Vista patch were needed on my PCs. In addition to these security updates I also received a update (through automatic update) related to Intel processors. This was called a “microcode reliability update”.

My test PCs include Windows XP SP2, Windows Vista Business Premium and Windows Vista Ultimate Edition. The Windows Vista OS’s are running under Parallels on my iMac. All my test PCs were patched through automatic update and required a reboot after applying the patches.

MS07-040 is rated critical and affects .NET versions 1.x and 2.x, version 3.x is not affected. All operating systems are affected if they have a vulnerable version of .NET installed. There are no known issues listed in the bulletin. If you have both versions of .Net on the PC you need a separate patch for each version. I have .NET 1.x and 2.x on Windows XP SP2, Windows Vista Business Premium and Windows Vista Ultimate. I did not have problems with any of the .Net patches.

[Update July 13th] Slashdot has a posting about people seeing high CPU usage and other issues with the MS07-040 patches.

MS07-038 is rated moderate and affects Windows Vista, both 32-bit and 64-bit versions. This patches a vulnerability in the Windows Vista firewall that could allow an attacker to gather information about a host. There are no known issues listed in the bulletin. I did not have any problems installing the patch on either of my Vista systems.

The Microcode Reliability Update (936357) was also installed through automatic update as a required patch. This was run on my older HP laptop which uses a Pentium 4 which leads me to believe the patch runs and then determines the CPU since Pentium 4’s aren’t in the bulletin as needing the patch. This patch also ran on Windows under Parallels.

I couldn’t install the remaining security patches but they are:

Two of the patches affect Microsoft Office software. I did not install either of these patches since I don’t have the affected products.

MS07-036 is rated critical and affects all versions of Microsoft Excel from Excel 2000 on up. It also applies to the Office 2007 compatibility pack. It’s only rated critical for Excel 2000. Microsoft rates the other versions as “important”. The bulletin does not list any known issues.

[Updated July 13th] Microsoft has updated MS07-036 to include Microsoft Office 2004 for Mac in the list of vulnerable software that must be patched. I don’t run this software so won’t be installing this patch either.

MS07-037 is rated important and affects Microsoft Office Publisher 2007 only. The bulletin does not list any known issues.

MS-07-041, is rated important and affects Microsoft Internet Information Server (IIS) when running on Windows XP SP2. Earlier versions of Windows XP may be affected but Microsoft only supports service pack 2. IIS is not installed by default on Windows XP.

The server patch is is MS07-039 and is a vulnerability in Active Directory that’s rated critical.

The patches are available through automatic update or can be downloaded individually from Microsoft.