Hi everyone.  Ben from the MSRC here. I am the case manager that handled the Crystal Reports for Visual Studio Bulletin, MS07-052, and I wanted to let you know that today we updated our detection and deployment logic for that bulletin.

First, I want to note that we’re not making any changes to the update itself given it protects against the vulnerability discussed in the bulletin.  If you’ve applied it successfully already, you have no further action.

What we have done is change our detection logic update for the Visual Studio 2005 Service Pack 1 update only.  This change will address an issue where some customers were being offered KB937061 repeatedly after they had installed the update.  This only occurred if they did not have the Crystal Reports for Visual Studio feature enabled, which is installed and enabled by default for Visual Studio 2005.  Any customers who chose to minimize their installation footprint of VS 2005 and explicitly ‘unchecked’ Crystal Reports during installation would have been impacted by this issue after they applied the Visual Studio 2005 Service Pack 1 update. The change today addresses that and ensures customers will not be reoffered the update after KB937061 is applied.

-Ben

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone.  Jonathan from the SWI team in the MSRC here again.  I'd like to give some more detail around the conditions required to exploit MS07-054, the vulnerability in MSN Messenger and Windows Live Messenger. 

You can read from the bulletin that MS07-054 affects MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0.  It has been fixed in Windows Live Messenger 8.1, which has been automatically offered to users since February 2007.  The vulnerability is in the library that handles the video chat webcam protocol.  The 7.0.0820 release is a version of 7.0 with the fixed 8.1 webcam library (hermes.lib).  Windows 2000 and older clients will need to upgrade to 7.0.0820.

I'd also like to point out some pretty significant mitigations in place for this vulnerability.  The vulnerability is specifically in the webcam protocol and is only exercisable during an established videochat session.  An attack can’t happen unless you accept a videochat invitation from a malicious user like you see in this graphic:

And by default you can only videochat with people on your buddy list.  However, if you accept a webcam videochat invitation from a malicious attacker, you can be exploited even if you don't have a webcam yourself.  We support one-way video chat, so until you upgrade to either 7.0.0820 or 8.1, be especially cautious about accepting webcam videochat invitations.

We hope that this information was interesting and useful to you.  Thanks for reading!

Jonathan

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello,

This is Christopher Budd.  I wanted to go ahead and let you know that we’ve posted our bulletins for the September 2007 monthly release.

This month we’ve released:

• MS07-051: This bulletin addresses a vulnerability in Microsoft Agent on Windows 2000 only. This bulletin is rated “Critical”.
• MS07-052:  This bulletin addresses a vulnerability in Crystal Reports which shipped with some versions of Visual Studio. You can find out which specific versions are affected in the bulletin. This bulletin is rated “Important”.
• MS07-053: This bulletin addresses a vulnerability in Services for UNIX and the Subsystem for UNIX-based Applications. This bulletin is rated as “Important”.
• MS07-054: This bulletin addresses a vulnerability in older versions of MSN Messenger and Windows Live Messenger. The current version, Windows Live Messenger 8.1, is not affected by this issue. This bulletin is rated as “Important”.

We are also planning to release an update to the Microsoft Windows Malicious Software Removal Tool as we do each month.

And finally, as we do each month, Mike Reavey and I will be hosting our regular webcast tomorrow at 11 a.m. Pacific Time. We’ll review the bulletins and provide you with answers on the air to your questions from our subject matter experts.

You can register for the webcast here:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032344692&EventCategory=4&culture=en-US&CountryCode=US

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello,

This is Christopher Budd and today is the Thursday before the scheduled September 2007 bulletin release on Tuesday Sept. 11, 2007.

As we do each month, as part of our processes to help make security updates more predictable and assist with your planning, we’ve posted our Advance Notification with preliminary information about next week’s release. As a reminder, we provide this early information to help with planning, but it can change between now and next Tuesday.

As part of our regularly scheduled bulletin release, we’re currently planning to release five security bulletins:

·         One Microsoft Security Bulletin affecting Microsoft Windows with a Maximum Severity rating of Critical. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer. 

·         One Microsoft Security Bulletin affecting Microsoft Visual Studio with a Maximum Severity rating of Important. These updates will not require a restart and will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

·         One Microsoft Security Bulletin affecting Microsoft Windows Services for UNIX and the  Subsystem for UNIX-based Applications with a Maximum Severity rating of Important. This update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

·         One Microsoft Security Bulletin affecting Microsoft MSN Messenger, Windows Live Messenger with a Maximum Severity rating of Important. This update will not require a restart. These products provide built-in mechanisms for automatic detection and deployment of updates. 

We are also planning to release an update to the Microsoft Windows Malicious Software Removal Tool as we do each month.

Finally, we are planning to release one high-priority, non-security update on Microsoft Update and none on Windows Update.

Here’s a reminder to join me and Mike Reavey next Wednesday, September 12, 2007 at 11 a.m. Pacific Time for our regular monthly bulletin webcast. We’ll be reviewing the bulletins and, most importantly, answering your questions on the air with information that our subject matter experts have put together. If you can’t make the live webcast, remember you can listen to it on-demand after it’s done. You can register for the live or on-demand webcast here:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032344690&EventCategory=4&culture=en-US&CountryCode=US.

Thanks,

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*