I'm sitting in the Nashville airport (literally, on the floor, with a nice Verizon Wireless EV-DO Rev-A connection) on the way home from Phoenix and decided to check up on email. (Taking a day off can be brutal.) Anyway, Microsoft sent along the following note about this month's security bulletins:

As part of Microsofts commitment to deliver security updates on a predictable and consistent monthly schedule, Microsoft addressed nine vulnerabilities today by releasing six security bulletins: 

·       MS07-055 (Maximum severity of Critical): This update resolves a newly discovered and privately reported vulnerability in Microsoft Windows, which could allow an attacker to remotely execute code on the affected system.

·       MS07-056 (Maximum severity of Critical): This update resolves a newly discovered and privately reported vulnerability in Microsoft Windows, which could allow an attacker to remotely execute code on the affected system.

·       MS07-057 (Maximum severity of Critical): This update resolves three privately reported and one publicly disclosed vulnerabilities in Internet Explorer which could allow an attacker to remotely execute code on the affected system.

·       MS07-058 (Maximum severity of Important): This update resolves a newly discovered and privately reported vulnerability in Microsoft Windows, which could allow an attacker to make a users system become non-responsive and restart.

·       MS07-059 (Maximum severity of Important): This update resolves a newly discovered and privately reported vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007, which could allow an attacker to run arbitrary script that could result in elevation of privilege within the SharePoint site.

·       MS07-060 (Maximum severity of Critical): This update resolves a newly discovered and privately reported vulnerability in Microsoft Word, which could allow an attacker to run arbitrary code as the logged on user.

You might notice that Microsoft is shipping six bulletins this month, instead of seven as originally stated in the Advance Notification Service (ANS) last Thursday. As previously communicated, the ANS is always subject to change. Microsoft decided to remove one of the updates from the release schedule due to a quality control issue, so the issue can be resolved prior to releasing the update to customers.

You can find a more comprehensive bulletin summary at the Microsofts Security Update Archive: http://www.microsoft.com/technet/security/current.aspx.

Also, Microsoft recommends that all customers sign up for Microsoft Update (MU) and enable its Automatic Updates functionality to receive all updates available this month and to help make their systems more secure. Customers can sign up for MU by following the steps at: http://update.microsoft.com/microsoftupdate.

Additional Resources

The monthly installment of the technology to remove malicious software from users systems is available today as well. This months update removes Win 32/Rjump. Customers can download the tool at www.microsoft.com/malwareremove.

Microsoft encourages system administrators to join the monthly technical webcast to learn more about the October security updates, the Malicious Software Removal Tool and the TechNet IT Pro Security Newsletter column on Principles of Patch Management. The webcast is scheduled for Wednesday, October 10, 2007 at 11:00 AM PDT. Registration is available at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032344692&EventCategory=4&culture=en-US&CountryCode=US.

Microsoft encourages IT professionals to tune into the monthly TechNet Radio interview with Security Program Manager Christopher Budd, where he will discuss this months security updates.  This interview can be downloaded at http://www.microsoft.com/tnradio.