• Chart: Jan. 2007 Security Communications Summary

Four patches—three critical and one important—addressing multiple vulnerabilities were distributed on the Jan. 2007 "Patch Tuesday." The patches repair vulnerabilities in Windows, Internet Explorer (IE), and Office, but some publicly circulating exploits for Office remain unrepaired.

Critical Patches

An unchecked buffer in the Windows and IE implementations of Vector Markup Language (VML) creates a critical vulnerability. VML is an XML-based editing and delivery format for high-quality vector graphics on the Web and is generated by some Web-based applications.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability, but the attacker would have to convince a user to visit the site—for example, by getting the user to click on a link in an e-mail or instant messenger message, or including VML information in HTML-formatted message. An exploit of this buffer overflow could allow the attacker to take complete control of the system. The VML patch for Windows closes this vulnerability.

The patch for Excel resolves five bugs that affect how Excel handles malformed data, such as an improper file. Typically, malformed-data bugs occur when the program does not sufficiently validate data. When Excel parses data malformed in particular ways, it may corrupt system memory in such a way that an attacker could execute arbitrary code and take complete control of the system.

Of the three bugs fixed by the Outlook patch, the most severe is a remote code execution vulnerability that exists in the code that Outlook uses to parse an Office Saved Search (OSS). Saved Searches are virtual folders that contain views of e-mail items that satisfy specific search criteria. The specific search criteria are stored in an OSS file. To exploit the vulnerability, an attacker could create a specially crafted e-mail message and send it to a user of Outlook. When Outlook opens the malicious OSS attachment and parses the request, it may corrupt system memory in such a way that an attacker could execute arbitrary code, giving the attacker complete control of the system.

Other Patch Tuesday Announcements

The monthly installment of the technology to remove malicious software from users' systems was released on Patch Tuesday as well. This month's update removes Win32/Haxdoor.

The nonsecurity updates include the monthly update to the Outlook 2003 Junk E-Mail Filter and a currently undocumented (no posted Knowledge Base article) update for Outlook 2003.

Resources

Information about updates released in Jan. 2007 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.