Microsoft fixes 9 flaws in 6 patches; 4 are critical

Patches include Microsoft Office, Outlook and Windows Mail, Internet Explorer, and the Kodak Image Viewer.

Microsoft today released its October 2007 security bulletin, which includes six updates: four are designated as Critical by the software giant; two are deemed Important, and one previously announced patch was dropped. On the Windows side there is a cumulative update for Internet Explorer, a patch for Outlook/Windows Mail, and one for an RPC vulnerability. On the Microsoft Office side, there is a patch for SharePoint Server and one critical patch for Microsoft Office Word, including Microsoft Office 2004 for Mac. And one patch for the Kodak Image Viewer. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS07-055: Critical

Entitled "Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)," this bulletin affects users of Microsoft Windows 2000, Windows XP SP2, and Windows Server 2003 x64 and Itanium-based users, or Windows Vista, and addresses the vulnerability detailed in CVE-2007-2217. A vulnerability exists in the way that the Kodak Image Viewer, formerly known as Wang Image Viewer, handles specially crafted images files. Successful exploitation could allow remote code execution.

MS07-056: Critical

Entitled "Security Update for Outlook Express and Windows Mail (941202)," this bulletin affects users of Outlook Express 5.5, 6, and Windows Mail running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-3897. Successful exploitation due to an incorrectly handled malformed NNTP response could allow remote code execution.

MS07-057: Critical

Entitled "Cumulative Security Update for Internet Explorer (939653)," this bulletin affects users of Internet Explorer 5.01, 6, and 7 running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the four vulnerabilities detailed in CVE-2007-3892, CVE-2007-3893, CVE-2007-1091 and CVE-2007-3826. Successful exploitation due could allow remote code execution.

MS07-058: Important

Entitled "Vulnerability in RPC Could Allow Denial of Service (933729)," this bulletin affects users of Windows 2000, Windows Server 2003, Windows XP, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-2228. Successful exploitation could lead to a denial-of-service vulnerability.

MS07-059: Important

Entitled "Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)," this bulletin affects users of Microsoft Windows Server 2003 SP1 running SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007, and addresses the vulnerability detailed in CVE-2007-2581. Successful exploitation could allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation.

MS07-060: Critical

Entitled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, and Microsoft Office 2004 for Mac, and does not affect Microsoft Office 2003 Service Pack 2 and 3 and 2007 Microsoft Office system, and addresses the vulnerability detailed in CVE-2007-3899. Successful exploitation if a user opens a specially crafted Word file with a malformed string could allow remote code execution.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    The best and worst quotes of 2014 (pictures)
    A roomy range from LG (pictures)
    This plain GE range has all of the essentials (pictures)
    Sony's 'Interview' heard 'round the world (pictures)
    Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)
    CNET's 15 favorite How Tos of 2014