Severity: Medium

14 August, 2007

Summary:

Today, Microsoft released a bulletin describing two security vulnerabilities affecting Windows Media Player. By enticing one of your users into viewing a maliciously crafted skin file for Windows Media Player, an attacker could execute code on your user’s computer, potentially gaining complete control of it. If your users listen to or view media via Windows Media Player, you should download, test, and deploy the appropriate Microsoft patches as quickly as possible.

Exposure:

Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. WMP supports the use of skins, sets of scripts, art, media, and text files that create a new appearance for the media player.

In a bulletin released today as part of Patch Day, Microsoft describes two vulnerabilities that affect WMP 7, 9, 10, and 11. Though the vulnerabilities differ technically, they both involve WMP skin files, and have the same scope and impact. If an attacker can entice one of your users into viewing a maliciously crafted WMP skin, he could exploit either flaw to execute code on your user’s system, with your user’s privileges. If that user had local administrative privileges, the attacker gains complete control of that user’s

Severity: High

14 August, 2007

Summary:

Today, Microsoft released a security bulletin describing a vulnerability affecting Excel for Windows and Mac. If an attacker can entice one of your users into opening a maliciously-crafted Excel document, he can execute code on your user’s machine, possibly gaining complete control of it. If your company uses vulnerable versions of Microsoft Office or Excel, you should download, test and deploy Microsoft’s patches as soon as possible.

Exposure:

Microsoft’s security bulletin describes a new flaw affecting Microsoft Excel 2000, XP, and 2003 for Windows; and Excel 2004 for Mac. Excel doesn’t properly validate a particular index value in an Excel Workspace. Opening a specially crafted Excel worksheet could trigger this flaw and cause memory corruption vulnerability.

By enticing one of your users into opening a such a maliciously crafted Excel document, an attacker could exploit this flaw to execute code on your user’s system, with your user’s privileges. If your user has local administrative privileges, an attacker would gain complete control of his or her computer. To get your user to open the booby-trapped Excel file, the attacker might host it on a web site or send it via e-mail.

Solution Path

Microsoft has released patches correcting this

Severity: High

14 August, 2007

Summary:

Today, Microsoft released two security bulletins describing four vulnerabilities in Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page or into opening a maliciously crafted HTML email, an attacker could exploit any of these new vulnerabilities to execute code on your user’s computer, with your user’s privileges. In the worst case, the attacker could gain complete control of the victim computer. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.

Exposure:

In two security bulletins (MS07-045 and MS07-050) released today as part of their monthly patch update, Microsoft describes four vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7. Microsoft rates all four of the vulnerabilities “Critical” and each vulnerability affects all current versions of Windows, including Vista, to some extent.

The vulnerabilities fall into two general categories:

1. Problems with interpreting .css files
2. Improper input validation on several ActiveX controls

All of the vulnerabilities share the same repercussions. If an attacker can trick one of your users into visiting a specially crafted web page, he can exploit any of these flaws to execute code on your user’s computer, with your

Severity: High

14 August, 2007

Summary:

Today, Microsoft released four security bulletins describing vulnerabilities that affect Windows and components shipping with it. A remote attacker could exploit the worst of these flaws to execute code on your Windows PC, potentially gaining complete control of it. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for August and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.

Exposure:

Microsoft’s four security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. The summary below lists the vulnerabilities from highest to lowest severity.

MS07-046:Graphics Device Interface (GDI) Remote Code Execution Vulnerability

The Graphics Device Interface (GDI) that ships with all current versions of Windows suffers from an unspecified “code execution vulnerability” involving the way the GDI handles specially crafted images. By enticing one of your users into opening and viewing a malicious image (for example, one from a web site or attached to an email), an attacker could exploit this