14 DAY TRIAL // Microsoft delivers updates for its software products in a monthly cycle. And just in case users got to enjoy the entire process associated with deploying updates, this month the company gave them a taste of something new. A refresh that will install over and over again. With the Microsoft Security Bulletin MS07-052, labeled with a severity rating of Important. Microsoft delivered a couple of days ago a fix for a vulnerability in Crystal Reports for Visual Studio, that in the eventuality of a successful exploit could lead to remote code execution. The update impacts Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003, Visual Studio .NET 2003 Service Pack 1, Visual Studio 2005 and Visual Studio 2005 Service Pack 1. But it should be limited only to the versions of Visual Studio that have the Crystal Reports optional component.
However, this is not the case. Essentially, Windows Updates serves MS07-052 (941522) to both 32-bit and 64-bit Windows Vista and Windows XP copies with Visual Studio SP1, and informs the user that the installation was successful even if the Crystal Reports component was missing. "This important security update resolves a publicly disclosed vulnerability. This vulnerability could allow remote code execution if a user opens a specially crafted RPT file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This is an important security update for supported editions of Visual Studio that include a custom version of Crystal Reports. Only the specific editions of Visual Studio listed in the Affected Software section are affected because they contain Crystal Reports", Microsoft informed.
In case Crystal Reports is already a part of - or is added to - the Visual Studio installation, Windows Update delivers a single update. Otherwise, the update is continually offered and installed again and again, ad infinitum. Users that tried to trick the installation process and enable Crystal Reports on Visual Studio only to uninstall the component at a later date, reported that the update started to be served again after removal. Microsoft promised to deliver a fix to the issue. "If you have VS 2005 SP1 present but the Crystal Reports feature is not present, MS07-052 is re-offered. Customers are protected and are not at risk to this vulnerability We will be updating the detection on Microsoft Update, customers that have already installed this update need to take no action. We are working to resolve this issue and it should be fixed shortly," Microsoft's Eric Brodish explained.