Microsoft has patched 11 vulnerabilities in Windows, Office and the .Net Framework - five of them rated 'critical'.

The most serious of the batch is MS07-039, said security analysts who, unlike last month, had no trouble naming that critical update as the one which should be patched first.

"By far, this is the top of the list this month," said Andrew Storms, director of security operations at nCircle Network Security.

MS07-039 patches a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003, the two supported server editions of Microsoft's operating system. The most dangerous of the two is a vulnerability in the way Active Directory validates an LDAP (Lightweight Directory Access Protocol) request. According to Microsoft's write-up, "an attacker who successfully exploited this vulnerability could take complete control of an affected system”.

"Definitely at the top of today's list," agreed David Dewey, a researcher with IBM Internet Security Systems' X-Force team. "It's definitely exploitable”.

Dewey should know, since it was a colleague at ISS, Neel Mehta, who discovered the flaw last summer. "Neel's created proof-of-concept code in-house during the time we worked on this with Microsoft," said Dewey.

"It would certainly be worth the effort" to exploit this, added Storms. "Active Directory is in the centre of every Windows network. There's a lot in there, including the group policy objects that set security - and everything about every user."

Unlike most vulnerabilities, the Active Directory bug can be exploited without any user interaction, and on Windows 2000 Server, the older of the two operating systems, it can be attacked by an anonymous user. Although Windows Server 2003 may look safer at first glance - an attacker must have valid credentials to exploit the bug on that edition - looks can be deceiving, said Tom Cross, another X-Force researcher.

"In this case, the authentication requirements become less important," said Cross. "Anyone on the network - an employee, for example - would by definition have credentials."

Worse, said Cross, is that outside attackers could exploit this without a lot of trouble by bundling an MS07-039 exploit with a multi-strike attack that figures on compromising some fraction of enterprise laptops while they're outside the network. Once back inside the enterprise's perimeter, the Active Directory exploit could fire up - using the credentials of the hijacked notebook - to grab systems running the supposedly more secure Windows Server 2003.

Two of the remaining five bulletins were pegged ‘critical’ by Microsoft, while another two were marked ‘important’. The final update was tagged as ‘moderate.’

MS07-036, which patches three vulnerabilities, two of them judged critical and one of them a zero-day flaw already out in public, repairs bugs in Excel 2000, 2002, 2003 and 2007. Similar vulnerabilities in other Microsoft Office document formats, including those in Word and PowerPoint, have been used by attackers to slip malicious code into corporations. Some of these attacks have been so narrowly targeted that they're launched against just one user at one company.

What's interesting about this update, said a Symantec researcher, is that Microsoft got it wrong back in February when it downplayed the initial report of the Excel threat. Then, Symantec's DeepSight threat network analysts reported Excel 2003 was susceptible to a denial-of-service bug which, if exploited, could crash the program. Four months ago, Microsoft denied that the bugs were actually vulnerabilities.

"Microsoft has completed its investigation of new public reports of possible vulnerabilities in Microsoft Office 2003 and Microsoft Excel 2003 [and] has confirmed that these are not product vulnerabilities," a spokeswoman said at the time. "They are issues that can cause the application to become unresponsive. Users can restart the application," she said.

"[Today's] bulletin includes a fix for a previously disclosed denial-of-service issue from February 2007 which is now billed as having the potential for remote code execution," noted Oliver Friedrichs, director of Symantec's security response group.

As Friedrichs pointed out, Microsoft characterised all three bugs patched by MS07-036 as having a "remote code execution" impact, meaning that hackers could inject their own malware into a PC after exploiting the Excel flaws.

The third critical update, MS07-040, plugs three holes in the .Net Framework, the primary Windows runtime environment called on by developers. Notably, all three vulnerabilities were previewed during a sneak peek at the Syscan'07 security conference last week in Singapore.

But the patches may be a ton of trouble to corporate IT managers, said Storms, because the .Net Framework is so widely used by corporate developers of in-house software. "Not only will [companies] have to run QA on the patches, they'll have to run QA on the code that runs on .Net," said Storms. The fixes in MS07-040 apply to all but Version 3.x of .Net Framework, adding additional complexity to in-enterprise application testing.

Of the remaining security updates, one fixes a flaw in Publisher 2007, another patches Internet Information Services 5.1 on Windows XP Professional SP2, and the third quashes a bug in Windows Vista's bundled firewall.

That last, although rated 'moderate', second-from-the-bottom in Microsoft's four-step severity rating system, is worth some reflection, said Symantec's Friedrichs.

"Microsoft's decision to rewrite the Windows network stack and its accompanying firewall [for Vista] continues to have long-term security implications," Friedrichs said. "A network stack can take decades of heavy scrutiny in order to become battle hardened. As an operating system's first line of defence, its quality is directly related to its ability to withstand attack."

On its own, added Friedrichs, the firewall bug isn't a big deal; the result of an exploit is that the attacker can "see" the system when it should actually be completely invisible to outside probes. "[But] if this logic flaw were combined with a vulnerability in one of the exposed services, this could have more serious, widespread implications."

As usual, Microsoft's monthly updates have been posted to Microsoft Update and Windows Update services, and they can also be retrieved through Windows Server Update Services (WSUS).

www.computerworld.com