January 2008

ID: 3559
Date: 24/01/2008

---

Title: 3559 - Microsoft Security Bulletin Minor Revisions
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Enterprise Application
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Microsoft
Applications affected:Internet Explorer, Windows, DirectX
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Microsoft Corporation
Reliability of source: Trusted
Source URL: http://www.microsoft.com/technet/security/
Abstract: Details of some minor revisions to 4 Microsoft Security Bulletins

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 23, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-068 - Critical
  * MS07-057 - Critical

Bulletin Information:
=====================

* MS07-068 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
  - Reason for Revision: Bulletin updated to add an FAQ regarding
    installing the updates for Windows Media Format Runtime 9.5
    on Windows XP Professional x64 Edition. 
  - Originally posted: December 11, 2007
  - Updated: January 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS07-057 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
  - Reason for Revision: Bulletin revised to address rendering issues. 
  - Originally posted: October 9, 2007
  - Updated: January 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.3
       

Other Information
=================

Recognize and avoid fraudulent e-mail to Microsoft customers:
=============================================================
If you receive an e-mail message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious Web sites. Microsoft does not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQIVAwUBR5fhnFKuubOIpnsTAQKICw//fxxGIACycdHmZdPlMAgZh8LvBParbq0z
IyZiYnUAOCnsfwxx15QPIpaUCqqkzmlp9gIWJfJRr2x2jsrFrrXEaPaufLxuDLv/
Xpdr7GG2xrXuFEtxHFhaAHxoieaezmXtbsNuOaSurvx3ZoP/RUpk4lvbCX0GNhmf
gTW5IyHwPw25eNl6yieBKJ7EsTgsrbtu/rKVNBl6EuRY9OfqvKLTVF/acKr0dypF
qNeebZlZ8R8Ddt0pSdscYhB8xfLrLBldrDWIEJplVKicGxNZn64sxqs5YmUlttz5
7xLjgyJnZkMPQQFi9pAuxtycLV9Sng0ZTQ5eeAEYgj34E4IhqlkOFfjGMRCyIwE4
oTs0NLcJMcsFbL4bzJyLKpLFGcBbKWHD3uAu8Z3XX7AXm3E2enUvd6DEXuh5ag6E
BZRKg9QeIvpA63KfE+4b085r5ptInrF11XlB6QJsBcfMNTz46fe9KVOdCstj5cMT
zi00w9Ma6BCSobRHEoXz1ALbIj298dQuMOvfhmIpcXSmhE776plBjt0Pakg1dePQ
KaW+d+nsx1juSrui935UGMg1Lij29banIgoLVzOjbqBl8C1K8lfc4Alvc29cK1vg
z3hN2krpqcTXmNP/Zc86NC6ITjRE0URxh3sW7+DiOy/gV6u9QLe6U3PBoLc7mDOC
4qR2+O0If6s=
=Z2Tr
-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: January 23, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-001 - Critical
  * MS07-064 - Critical

Bulletin Information:
=====================

* MS08-001 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
 - Reason for Revision: Bulletin updated to add Windows Small
    Business Server 2003 Service Pack 2 as an affected product.
    Also added an FAQ to clarify that current Microsoft detection
    and deployment tools already correctly offer the update to
    Windows Small Business Server 2003 Service Pack 2 customers. 
 - Originally posted: January 8, 2008
 - Updated: January 23, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0
   
* MS07-064 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
 - Reason for Revision: Bulletin updated to reflect that DirectX 9.0
    and 9.0b are also included in this update. 
 - Originally posted: December 11, 2007
 - Updated: January 23, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0
       

Other Information
=================

Recognize and avoid fraudulent e-mail to Microsoft customers:
=============================================================
If you receive an e-mail message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious Web sites. Microsoft does not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQIVAwUBR5fhY1KuubOIpnsTAQK2gw//VnoZIjBV8Sx0pVlvW6M1GLLa2sQu9ECb
cC7Ax7ULYzlxsSH1ZknRRbXOLmCOzZ/9g66RAR2IvXcQClmTE5xfZfbmWrOBh/xW
XZtaWqJP3MGXt06l6T0gKnJybIhM7WprO1LFF3ijm+T1dj9Xtun6ZPSoJ7H1i4G9
XEjMkM0cn9BOWge01mX867FVgJVNIwaYLrpqXzDam5NEJq3iqXzpkHb4mmAEXEW8
X4Mml6d8mKHnQtLjoo0bSmEAVL9VK5zV/Y9DyalIIv44T/bK3kAkegfm7NLrGYG/
8nnuGhzrDODS7LS1sNw2hx8A0F3SpMefpIRaE7HeBk75ZWojSgvBvVjglzQu7H4e
St1fJnBoTZSXDHnurCdT5CXMhxYA+3Jft1kcm7x1enXiEry+BmeT/h2RZqSG0EvH
Ri+BY/+FGOcDn4BXuEBaSePHRW6lEuHs6yVFtf27M32v6UHwbWxy5PaV390LVPTo
KeKTiaxeHyryT/PJPUwmIagnVtLT+rFXZ05n5HcAcroFYgwF9fOq5BD0rvndUVmu
AW0b7VNNZ2Mu5GsjnLbU0gQaX57MRpHvU32/JJ84zuBqThuMD7bAwTEO+va/UVoZ
WnL/IeKM1wKD0YhJMiOrWd6QDXvA2CddR3VXsjoyThPV/ZJ7E19uJRBcR9BFbSMM
tWAreRHfmt8=
=rLoC
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.