As Microsoft does on a regular basis, they have issued an advanced security bulletin notification for May 2011, which contains two bulletins affecting Windows Server and Microsoft Office.

The first bulletin affecting Windows Server is rated as critical due to remote code execution, the following versions of Windows Server are affected: Windows Server 2003 SP2 (x86, x64, and Itanium-based systems), Windows Server 2008 (x86 and x64), Windows Server 2008 SP2 (x86 and x64), and Windows Server 2008 R2 RTM and SP1 (x64).

The second bulletin covers Microsoft Office, which is important with a “vulnerability impact” of remote code execution, and affects the following versions of Office: Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2.

These security bulletins will be addressed next Tuesday, which is May 10, 2011.

Exploitability Index Update

Microsoft uses the Exploitability Index to let users know how likely it is that the vulnerability could be consistently exploited. However, currently the Exploitability Index provides an aggregated rating, meaning that all versions are grouped together. The problem is a lot of times newer versions of Microsoft software provide mitigation features making the vulnerabilities very hard to exploit, or they may be nonexistent.

With the updated Exploitability Index Microsoft will detail the possibilities of a consistent exploit of the vulnerability on the newest version of the software, then aggregate all the older versions together in a separate rating.

For more information, see: Exploitability Index Improvements Now Offer Additional Guidance.

Service Pack 1 for Windows 7 and Windows Server 2008 R2 is now available to the public. The service pack is mainly a bug fix for Windows 7, but does introduce a couple new features for Windows Server.

What’s new in Windows 7 SP1

As mentioned, most of Service Pack 1 was purely bug fixes, however, there are a few specifics. These fixes include improved reliability when connecting HDMI audio devices, printing using the XPS Viewer, and restoring previous folders in Windows Explorer after restarting.

Lot’s of fun stuff, right?

What’s new in Windows Server 2008 R2 SP1

The first new feature for Windows Server 2008 R2 SP1 is Dynamic Memory, which “takes Windows Server’s Hyper-V feature to a whole new level. Dynamic Memory lets you increase virtual machine density with the resources you already have—without sacrificing performance or scalability.”

Confusing, right? It simply means that virtual machines are dynamically allocated memory when required. Dynamic Memory will also take memory from a virtual machine and give it to another when the other virtual machine needs more resources.

The second new feature is RemoteFX, this “is an exciting technology that lets you virtualize the Graphical Processing Unit (GPU) on the server side and deliver next-generation rich media and 3D user experiences for VDI.”

This too contains a lot of fancy words, but allows end clients to view rich media and interactive 3D experiences over remote desktop.

Where to get it

If you haven’t checked, open up Windows Update and check for updates manually, if Service Pack 1 does not appear, then you may need to wait a little bit as the update will be rolled out over time.

However, if you really want to get the update as soon as possible, you can download it from the Microsoft Download Center. Please be aware that the update is around 2GB, compared to the one you might receive over Windows Update, which would be anywhere from 50MB – 500MB. You will also need to validate your version of Windows using the Windows Genuine Advantage, requiring Internet Explorer.

Update: Added what was new in SP1 for Windows 7.

Microsoft on Friday released Security Advisory 2501696, in this advisory they warn of an MHTML vulnerability which could allow unintended information disclosure. This vulnerability affects all versions of Windows and Windows Server.

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities.  For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session.  Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user’s experience.

Source: Microsoft Security Response Center

Microsoft says they have seen no current active exploitations of this flaw, but it is highly unlikely it will remain that way for much longer.

Microsoft has also released a “Microsoft Fix It” program which will lockdown MHTML, this would mitigate the possibility of an attack. You can find this on KB2501696. Another way to prevent this from happening to you is to, as usual, not click any suspicious links in email and/or on the web. Interesting how that is always a mitigating factor, isn’t it?

I will keep you updated on this issues as information becomes available.

On January 4, Microsoft issued Security Advisory 2490606 which warns of a vulnerability in the Windows Graphics Rendering Engine. The advisory says “an attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.” Which means that the exploit could then install programs; view, edit and delete data; create new accounts with full rights and so forth.

If your account runs with lower privileges, you would be less susceptible to such attacks (new accounts couldn’t be created that is, programs couldn’t be installed depending upon your set rights and such).

Currently Microsoft is not aware of any attacks using this vulnerability, but they said they will be monitoring this closely, and if need be, issue an out-of-band patch. Though that currently is not likely.

In order for this vulnerability to be exploited, all a user has to do is view a directory listing in Windows Explorer with a specially crafted thumbnail for a document (such as a Word or PowerPoint). A user can fall victim to this vulnerability through email as well, however, they must open the document first.

The following operating systems are affected by this issue:

• Windows XP SP3
• Windows XP Professional SP2 (x64)
• Windows Server 2003 SP2 (x86, x64 and Itanium-based systems)
• Windows Vista SP1 and SP2 (x86 and x64)
• Windows Server 2008 with and without SP2 (x86, x64 and Itanium-based systems)

However, if you are running Windows 7 or Windows Server 2008 R2 you are not affected by this vulnerability.

If you are worried you will fall victim to such an attack, see Microsoft KB Article 2490606 which contains a Microsoft Fix It which will restrict access to shimgvw.dll which is a source of this vulnerability. If you do apply this Microsoft Fix It “solution” be sure to bookmark the page so you can undo the actions once this vulnerability has been fixed in the future.