Microsoft today released its October 2007 security bulletin, which includes six updates: four are designated as Critical by the software giant; two are deemed Important, and one previously announced patch was dropped.
On the Windows side there is a cumulative update for Internet Explorer, a patch for Outlook/Windows Mail, and one for an RPC vulnerability. On the Microsoft Office side, there is a patch for SharePoint Server and one critical patch for Microsoft Word -- including Microsoft Office 2004 for Mac. And one patch for the Kodak Image Viewer.
All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS07-055: Critical
Entitled "Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)," this bulletin affects users of Microsoft Windows 2000, Windows XP SP2, and Windows Server 2003 x64 and Itanium-based users, or Windows Vista, and addresses the vulnerability detailed in CVE-2007-2217. A vulnerability exists in the way that the Kodak Image Viewer, formerly known as Wang Image Viewer, handles specially crafted images files. Successful exploitation could allow remote code execution.
MS07-056: Critical
Entitled "Security Update for Outlook Express and Windows Mail (941202)," this bulletin affects users of Outlook Express 5.5, 6, and Windows Mail running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-3897. Successful exploitation due to an incorrectly handled malformed NNTP response could allow remote code execution.
MS07-057: Critical
Entitled "Cumulative Security Update for Internet Explorer (939653)," this bulletin affects users of Internet Explorer 5.01, 6, and 7 running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the four vulnerabilities detailed in CVE-2007-3892, CVE-2007-3893, CVE-2007-1091 and CVE-2007-3826. Successful exploitation due could allow remote code execution.
MS07-058: Important
Entitled "Vulnerability in RPC Could Allow Denial of Service (933729)," this bulletin affects users of Windows 2000, Windows Server 2003, Windows XP, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-2228. Successful exploitation could lead to a denial-of-service vulnerability.
MS07-059: Important
Entitled "Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)," this bulletin affects users of Microsoft Windows Server 2003 SP1 running SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007, and addresses the vulnerability detailed in CVE-2007-2581. Successful exploitation could allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation.
MS07-060: Critical
Entitled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, and Microsoft Office 2004 for Mac, and does not affect Microsoft Office 2003 Service Pack 2 and 3 and 2007 Microsoft Office system, and addresses the vulnerability detailed in CVE-2007-3899. Successful exploitation if a user opens a specially crafted Word file with a malformed string could allow remote code execution.
