Windows 7 - Security Bulletins for December 2007

Asked By Donna Buenaventura

11-Dec-07 01:15 PM

Microsoft Security Bulletins for December 2007

Microsoft released today the following security bulletins. Note: There may
be latency issues due to replication, if the page does not display keep
refreshing

Critical:
MS07-064 - Vulnerabilities in DirectX Could Allow Remote Code Execution
(941568)
http://www.microsoft.com/technet/security/bulletin/MS07-064.mspx
MS07-068 - Vulnerabilities in DirectX Could Allow Remote Code Execution
(941568)
http://www.microsoft.com/technet/security/bulletin/MS07-068.mspx
MS07-069 - Cumulative Security Update for Internet Explorer (942615)
http://www.microsoft.com/technet/security/bulletin/MS07-069.mspx

Important:

MS07-063 - Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
http://www.microsoft.com/technet/security/bulletin/MS07-063.mspx
MS07-065 - Vulnerability in Message Queuing Could Allow Remote Code
Execution (937894)
http://www.microsoft.com/technet/security/bulletin/MS07-065.mspx
MS07-066 - Vulnerability in Windows Kernel Could Allow Elevation of
Privilege (943078)
http://www.microsoft.com/technet/security/bulletin/MS07-066.mspx
MS07-067 - Vulnerability in Macrovision Driver Could Allow Local Elevation
of Privilege (944653)
http://www.microsoft.com/technet/security/bulletin/MS07-067.mspx

Non-Security, High-Priority Updates on MU, WU, and WSUS

Microsoft has released four non-security, high-priority updates and 2007
Microsoft Office Service Pack 1 on Microsoft Update (MU) and Windows Server
Update Services (WSUS).

Microsoft has released four non-security, high-priority updates for Windows
and Windows SharePoint Services 3.0 Service Pack 1 on Windows Update (WU)
and WSUS.

References:
December 2007 Security Bulletins Summary:
http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
Security Bulletin for end-users:
http://www.microsoft.com/protect/computer/updates/bulletins/200712.mspx
MSRC Blog: http://blogs.technet.com/msrc/default.aspx

Support:
Call 1-866-PCSAFETY. There is no charge for support calls that are
associated with security updates. International users should go to
http://support.microsoft.com/common/international.aspx

Security Bulletin Webcast:
Microsoft will host a Webcast tomorrow. The webcast focuses on addressing
your questions and concerns about the security bulletins. Therefore, most of
the live webcast is aimed at giving you the opportunity to ask questions and
get answers from their security experts:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032344696&EventCategory=4&culture=en-US&CountryCode=US

Update sources:
Microsoft NEVER send security updates via e-mail. As always, download the
updates only from the vendors' website - visit Windows Update and Office
Update or Microsoft Update. You may also get the updates thru Automatic
Updates functionality in Windows.
Security updates are available on ISO-9660 DVD5 image files from the
Microsoft Download Center. For more information, please see
http://support.microsoft.com/kb/913086
Note: Don't be a victim of spoofed emails. Read "How to tell whether a
security e-mail message is really from Microsoft" at
http://www.microsoft.com/athome/security/email/ms_genuine_mail.mspx

Recommendations:
Microsoft advises customers to install the latest product releases, security
updates, and service packs to remain as secure as possible. Older products,
such as Microsoft Windows NT 4.0, may not meet today's more demanding
security requirements. It may not be possible for Microsoft to provide
security updates for older products. More info at Microsoft Support
Lifecycle website: http://support.microsoft.com/lifecycle/

Tool:
Check your system for missing or misconfigured patches using Microsoft
Baseline Security Analyzer (MBSA) -
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
For 3rd Party tools in scanning your computer for missing updates, hotfixes
or out-dated version, please see the list at
http://www.dozleng.com/updates/index.php?showtopic=13587

Regards,
Donna Buenaventura
Windows Security MVP

11-Dec-07 01:41 PM

Known issues as per Microsoft:

Microsoft Security Bulletin MS07-064: Microsoft Knowledge Base Article
941568 documents the currently known issues that customers may experience
when they install this security update. The article also documents
recommended solutions for these issues.
http://support.microsoft.com/kb/941568

Microsoft Security Bulletin MS07-069 - Microsoft Knowledge Base Article
942615 documents the currently known issues that customers may experience
when they install this security update. The article also documents
recommended solutions for these issues.
http://support.microsoft.com/kb/942615

NOTE: If pages of KB article is not available, please try later.

11-Dec-07 02:46 PM

Donna:  I see nothing on those pages regarding known issues.

may
Elevation
addressing
most
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032344696&EventCategory=4&culture=en-US&CountryCode=US
the
Older

11-Dec-07 03:16 PM

You will Tom, you will. There is just nothing to show at the mowment.


MowGreen  [MVP 2003-2008]
===============
*-343-*  FDNY
Never Forgotten
===============

11-Dec-07 03:22 PM

Okay.  Thanks, Steve.

Tom
experience
Article
experience

11-Dec-07 11:21 PM

More: http://aumha.net/viewtopic.php?t=30454 &ff
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/

12-Dec-07 12:05 AM

Robear, you may wish to add the links to the article re Office 2007 -

http://support.microsoft.com/Default.aspx?kbid=936982
and/or
http://www.microsoft.com/downloads/details.aspx?FamilyId=9EC51594-992C-4165-A997-25DA01F388F5&displaylang=en

Kaylene

12-Dec-07 05:30 AM

Donna Buenaventura added these comments in the current
discussion du jour ...

Donna, what is your level of confidence on these updates? i.e.,
are they going to work for the vast majority of people or be
problematic for at least some percentage? I ask because I never
do the updates they day they are released by MS, preferring to
lurk for awhile in this and other MS peer-to-peer help NGs to see
what issues others may be having.

And, how does any customer or group of customers figure out if
the particular vulnerability even applies to them? If not, seems
like risking a problem for a fix that isn't needed.

Thanks.

--
HP, aka Jerry

12-Dec-07 10:08 AM

Non-issues as far as I am concerned. I rely on Microsoft Update to
present only those updates that my computer needs and I image my system
partition before installing. If any problems occur (which has not
happened to me in years) I would just restore my image and watch the
newsgroups for advice.

---
Leonard Grey
Errare humanum est

12-Dec-07 11:11 PM

Hi,

I don't trust any updates because many things may or may not happen.  It is
recommended to update soon especially if it's security-related and major bug
fixes that affects the user's application.  Every PC including those from
vendors (e.g. Microsoft) has their own settings and other products that is
not the same to all users in the world so what might work to User A, B, C...
may not work to User X, Y, Z.  Even if I don't trust any updates, I have to
install them to enjoy the fixes and improvements. I don't delay as I'm
confident I can go back in the good system state. Like Leonard, I rely on
backup and ensure that System Restore is functioning (not only running)
prior installation of big updates.
If I may add here the link to what I wrote last year:  What to do before
If anything is screwed, I'll just try System Restore.  If no joy, I use the
full system backup.

Windows Update should only offer products that is applicable for your system
(windows and other components that WU can detect/install/offer). It should
not offer products that is not installed in your machine. Although, today..
it offered me some product updates that is nowhere to be found in my system:
http://www.dozleng.com/updates/index.php?showtopic=16588.

A suggestion:  Avoid using Automatic Updates but use the setting to notify
you on updates then review the offered updates.  Set to ignore the products
that you don't need or don't want to install (except security updates).

Sometimes MS release some toolkit to block installation of Service Pack or
upgrade on major component in Windows.

Regards,
Donna

13-Dec-07 12:49 AM

...snip


I agree but even some security updates may not be appropriate for a
particular computer. As an example, there is one update that only applies if
you have a third-party web browser such as Firefox installed. If all you
have is IE, you don't need that update. Without reading the bulletin for
that update you have no way to know this.
--
Allan

12-Dec-07 12:12 AM

Thanks, but I think Jim would consider that inappropriate in that forum (but
I embedded the link anyway <eg>).
--
~PAB

13-Dec-07 10:36 AM

IE is an integral part of the Windows Operating System, Allan.  If IE is
vulnerable, Windows is vulnerable, period.  It doesn't matter what browser
you use.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/

13-Dec-07 06:54 PM

Reread what Allan posted, BroRo:



MowGreen  [MVP 2003-2008]
===============
*-343-*  FDNY
Never Forgotten
===============

13-Dec-07 07:59 PM

If AU offers a critical update, install it.

13-Dec-07 10:53 PM

Hello PA Bear,
The update which I alluded to as an example is this one :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q911564
http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx . It is a
security update but I believe the level is "important" rather than
regulators to be a Windows component. We are talking about security rather
than legal distinctions here.

Again , this update pertains to installed non-IE third-party browsers such
as Firefox, Netscape, Safari beta, Opera. If you do not any of them
installed, it is unnecessary to install this security update. It does not
make you any more secure to have it installed.

14-Dec-07 04:26 AM

On second thought ... if one has installed the ActiveX plugin for WMP,
then this update should be installed. Ex: WMP plugin for Firefox
Signing off ... youse guyz can talk amongst yerselfs. <w>


MowGreen  [MVP 2003-2008]
===============
*-343-*  FDNY
Never Forgotten
===============