Microsoft Debuts the 2007 Patching Season

It has been a light patch debut in 2007 for Microsoft. The Redmond Company initially planned a total of eight security bulletins in January, but the original Microsoft Security Bulletin Advanced Notification was adapted just one day after its release to list only four patches. "Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite," revealed Ben Greenbaum the manager of the DeepSight threat analysis team at Symantec.

Here are Microsoft's Security Bulletins for January, as presented by Christopher Budd, a Security Program Manager at Microsoft:

Microsoft Office (MS07-001)
- maximum severity rating of Important
- vulnerabilities could allow an attacker to run code in the context of the logged on user.
Microsoft Office (MS07-002)
- maximum severity rating of Critical
- vulnerabilities could allow an attacker to run code in the context of the logged on user.
Microsoft Office (MS07-003)
- maximum severity rating of Critical
- vulnerabilities could allow an attacker to to run code in the context of the logged on user.
Microsoft Windows (MS07-004)
- maximum severity rating of Critical
- vulnerabilities could allow an attacker to run code in the context of the logged on user.

These patches are designed to address a total of 10 vulnerabilities. One affects the Brazilian Grammar Checker in Office 2003. Five impact Microsoft Excel, providing fixes for Excel Malformed Record, Excel IMDATA Record, Excel Malformed Column Record, Excel Malformed String Remote and Excel Malformed Palette. Microsoft also delivered a fix for the Windows Vector Markup Language Buffer Overrun Vulnerability and three patches for flaws in Outlook.

However, the Redmond Company has failed to provide a patch for the highly publicized Windows Vista vulnerability. In fact, Microsoft is keeping quiet in relation to all four patches that it has pulled from the January security bulletins list. But as vista is scheduled for availability on January 29, 2007, Microsoft will have to publish an out of band release of the remaining patches.