• Chart: Apr. 2007 Security Communications Summary

After a patch-free Mar. 2007, Apr. 2007 brought an unusual unscheduled release of a critical patch due to a rapidly growing public exploit, followed by the release of five critical patches and one important patch on the regularly scheduled "Patch Tuesday." The unscheduled patch is significant because one of the problems fixed was privately disclosed to Microsoft two years ago, and Microsoft had not fixed the problem in Windows XP until its hand was forced by public disclosure.

Vulnerability Triage

Microsoft confirms that one of the original elevation-of-privilege vulnerabilities fixed in MS07-017, "Vulnerabilities in GDI Could Allow Remote Code Execution," which is sometimes referred to as the "GDI Local Elevation of Privilege" vulnerability, was formally reported two years ago. (Other vulnerabilities fixed by the patch were reported as late as Dec. 2006.) The oldest vulnerability was not fixed for several reasons:

• The severity appeared to be low; the vulnerability did not, for example, allow remote takeover of PCs
• The fix was complex and could create substantial application compatibility problems
• The risk to customers appeared low because there was no publicly circulating exploit.

Microsoft decided to fix GDI Local Elevation of Privilege vulnerability in upcoming service packs, and in fact the vulnerability was fixed in the second service pack for Windows Server 2003, and in Windows Vista (a new release). However, the decision left Windows XP exposed, as its next service pack (SP3) has been pushed back several times and is not due until sometime in 2008, if ever.

Microsoft ultimately had to rush out a patch for the vulnerability with patches for several other vulnerabilities due to a publicly circulating exploit. This initial patch included a patch for the problem reported in Dec. 2006, which created severe system problems for some users with the Realtek HD Audio Control Panel, ElsterFormular 2006/2007, TUGZip, and CD-Tag. The problems were then corrected in the patch released on Patch Tuesday.

The incident illustrates a fundamental problem with Microsoft's Windows maintenance strategy: if the company intends to issue fewer Windows service packs, then it must issue more patches, more quickly, for reported vulnerabilities.

Other Patch Tuesday Updates

Several other nonsecurity updates were released on the April Patch Tuesday.

Malicious Software Removal Tool. The monthly installment of the technology to remove malicious software from users' systems was released on Patch Tuesday. This month's update removes Win32/Funner.A.

Other nonsecurity updates. Other nonsecurity updates include the monthly update to the Outlook 2003 Junk E-mail Filter, and an update to fix a synchronization problem when the client computer is running the Microsoft Windows Media Format 11 SDK.

Resources

Information about updates released in Apr. 2007 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.