Security Bulletin

Microsoft Security Bulletin MS07-048 - Important

Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)

Published: August 14, 2007

Version: 1.0

General Information

Executive Summary

This important security update resolves two privately reported vulnerabilities in addition to other vulnerabilities identified during the course of the investigation. These vulnerabilities could allow an anonymous remote attacker to run code with the privileges of the logged on user. If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system. In all attack vectors, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is an important security update for all supported editions of Windows Vista. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by improving validation code within the Feed Headlines and Contacts Gadgets. The Inspect Your Gadget document outlines secure programming best practices that should be followed when building Gadgets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation: Microsoft recommends that customers apply the security update.

Known Issues: Microsoft Knowledge Base Article 938123 documents any currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.

Affected and Non-Affected Software

The software listed here has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Frequently Asked Questions (FAQ) Related to This Security Update

What are the known issues that customers may experience when they install this security update?
Microsoft Knowledge Base Article 938123 documents any currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.

Why does this update address several reported security vulnerabilities?
This update addresses several vulnerabilities because the modifications for these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.

Does this update contain any security-related changes to functionality? 
Yes. Besides the changes that are listed in the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the bulletin section, Vulnerability Information, this update includes defense-in-depth improvements to the Windows Stocks Gadget.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution - CVE-2007-3033

A remote code execution vulnerability exists in Windows Vista Feed Headlines Gadgets that could allow a remote anonymous attacker to run code with the privileges of the logged on user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3033.

Mitigating Factors for Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution - CVE-2007-3033

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• The user needs to subscribe to a untrusted or compromised RSS feed in the Feed Headlines Gadget using Internet Explorer.

Workarounds for Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution - CVE-2007-3033

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disable the Feed Headlines Gadget:

  To disable the Feed Headlines Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Feed Headlines Gadget and click the Remove button.

  Impact of Workaround: The Feed Headlines Gadget is disabled.

• Uninstall the Feed Headlines Gadget:

  To uninstall the Feed Headlines Gadget, follow these steps:

  • Right click in Sidebar.
  • Select Add Gadgets… from the menu.
  • Right click on the Feed Headlines Gadget.
  • Select uninstall from the menu.

  Impact of Workaround: The Feed Headlines Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     cd %ProgramFiles%\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that is on the file (including inheritance settings) for future reference to undo this modification:
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Feed Headlines Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Feed Headlines Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable the Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windowsas the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebaras the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

FAQ for Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution - CVE-2007-3033

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system.

What causes the vulnerability
The Feed Headlines Gadget does not perform sufficient validation when parsing HTML attributes.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system.

How could an attacker exploit the vulnerability?
The Feed Headlines Gadget is installed on Windows Vista and is enabled by default. The user needs to subscribed to a RSS feed in the Feed Headlines Gadget using Internet Explorer. Once a feed is subscribed an attacker must send a specially crafted RSS post using the existing subscription to exploit the system. An attacker could then execute code in the context of the logged on user from the subsequent malicious or specially crafted feed over the internet.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats all executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
Yes, this vulnerability could be exploited over the internet once a user has subscribed to a malicious RSS feed in the Feed Headlines Gadget, or if a trusted feed is compromised by an attacker.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Feed Headlines Gadget is enabled and subscribed to RSS feeds.

What does the update do?
The update removes the vulnerability by adding additional checks on HTML attributes within the Feed Headlines Gadgets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Windows Vista Contacts Gadget Could Allow Code Execution - CVE-2007-3032

A code execution vulnerability exists in Windows Vista Contacts Gadget that could allow an attacker to run code with the privileges of the logged on user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3032.

Mitigating Factors for Windows Vista Contacts Gadget Could Allow Code Execution - CVE-2007-3032

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• The Contacts Gadget is not enabled by default. To be subject to exploitation of this vulnerability, the user must add the Contacts Gadget to Windows Sidebar.
• When the Contacts Gadget is enabled, the user must add or import specially crafted malicious contacts from an attacker.

Workarounds for Windows Vista Contacts Gadget Could Allow Code Execution - CVE-2007-3032

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disablethe Contacts Gadget:

  To disable the Contacts Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Contacts Gadget and click the Remove button.

  Impact of Workaround: The Contacts Gadget is disabled.

• Uninstallthe Contacts Gadget:

  To uninstall the Contacts Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Add Gadgets… from the menu.
  3. Right click on the Contacts Gadget.
  4. Select uninstall from the menu.

  Impact of Workaround: The Contacts Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     cd %ProgramFiles%\Windows Sidebar\Gadgets\Contacts.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Contacts Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Contacts Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windows as the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebar as the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

FAQ for Windows Vista Contacts Gadget Could Allow Code Execution - CVE-2007-3032

What is the scope of the vulnerability?
This is a code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system in the context of the logged on user.

What causes the vulnerability
The Contacts Gadget does not perform sufficient validation on contacts when imported.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system in the context of the user.

How could an attacker exploit the vulnerability?
While the Contacts Gadget is installed on Windows Vista it is not enabled by default. A user would be required to enable the Contacts Gadget. An attacker would then have to send a specially crafted contact to an affected system, or persuade a user to visit a webpage that allowed the specially crafted contact to be downloaded. The user would have to add the malicious contact. Once the contact was added or imported the attacker could then execute code in the context of the logged on user when the contact was selected or if the contact were the first contact in the list.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats other executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
Yes, this vulnerability could be exploited over the internet if a user added or imported the malicious contact file from the Internet into the Contacts Gadget. The contact would have to be selected or the first contact in the list.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Contacts Gadget is enabled would be at risk form the vulnerability.

What does the update do?
The update removes the vulnerability by adding additional checks on imported contacts within Contacts Gadget.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Windows Vista Weather Gadget Could Allow Remote Code Execution - CVE-2007-3891

A remote code execution vulnerability exists in Windows Vista Weather Gadgets that could allow an attacker to run code with the privileges of the logged on user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3891.

Mitigating Factors for Windows Vista Weather Gadget Could Allow Remote Code Execution - CVE-2007-3891

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• Links are not visible in the default view of the Weather Gadget. To view links in the Weather Gadget the user must drag and drop the Weather Gadget onto the desktop.
• Weather services provided in the Weather Gadget are not available in all geographical regions.

Workarounds for Windows Vista Weather Gadget Could Allow Remote Code Execution - CVE-2007-3891

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disable the Weather Gadget:

  To disable the Weather Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Weather Gadget and click the Remove button.

  Impact of Workaround: The Weather Gadget is disabled.

• Uninstall the Weather Gadget:

  To uninstall the Weather Gadget, follow these steps:

  • Right click in Sidebar.
  • Select Add Gadgets… from the menu.
  • Right click on the Weather Gadget.
  • Select uninstall from the menu.

  Impact of Workaround: The Weather Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     cd %ProgramFiles%\Windows Sidebar\Gadgets\Weather.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that is on the file (including inheritance settings) for future reference to undo this modification:
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Weather Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Weather Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable the Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windows as the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebar as the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

FAQ for Windows Vista Weather Gadget Could Allow Remote Code Execution - CVE-2007-3891

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system.

What causes the vulnerability
Weather Gadget does not perform sufficient validation when parsing HTML attributes.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system.

How could an attacker exploit the vulnerability?
In order to exploit this vulnerability, an attacker would have to compromise the user’s connection and convince the user to click a malicious link in the Weather Gadget. To view links in the Weather Gadget the user must first drag and drop the Weather Gadget onto the desktop. Links are not visible in the default view of the Weather Gadget.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats other executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
No, this vulnerability can not be exploited over the internet by an anonymous attacker.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Weather Gadget is running on the desktop and links are visible.

What does the update do?
The update removes the vulnerability by adding additional checks on HTML attributes within the Weather Gadgets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Update Information

Detection and Deployment Tools and Guidance

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch". Finally, security updates can be downloaded from the Windows Update Catalog. For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), the Extended Security Update Inventory Tool, and the Enterprise Update Scan Tool (EST). For more information, see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA visit Microsoft Baseline Security Analyzer Web site. The following table provides the MBSA detection summary for this security update.

Note for Windows Vista Microsoft does not support installing MBSA 2.0.1 on computers that run Windows Vista, but you may install MBSA 2.0.1 on a supported operating system and then scan the Windows Vista-based computer remotely. For additional information about MBSA support for Windows Vista, visit the MBSA Web site. See also Microsoft Knowledge Base Article 931943: Microsoft Baseline Security Analyzer (MBSA) support for Windows Vista.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about SUIT, visit the following Microsoft Web site. For more information about the limitations of SUIT, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

Note for Windows Vista Microsoft Systems Management Server 2003 with Service Pack 3 includes support for Windows Vista manageability.

For more information about SMS, visit the SMS Web site.

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Windows Vista (all versions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

File Information

The English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

For all supported 32-bit editions of Windows Vista:

For all supported 64-bit editions of Windows Vista:

Note For a complete list of supported versions, see the Support Lifecycle Index. For a complete list of service packs, see Lifecycle Supported Service Packs. For more information on the support lifecycle policy, see Microsoft Support Lifecycle.

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Windows hotfix. If you have previously installed a hotfix to update one of these files, the installer will apply the LDR version of this update. Otherwise, the installer will apply the GDR version of the update. The LDR version of a file has a higher version number than the GDR version of a file. For more information about this behavior, see Microsoft Knowledge Base Article 824994.For more information about the installer, see Microsoft Knowledge Base Article 934307.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Removing the Update

To remove this update, use the Add or Remove Programs tool in Control Panel.

Verifying That the Update Has Been Applied

• Microsoft Baseline Security Analyzer

  To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

• File Version Verification

  Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

  1. Click Start, and then click Search.

  2. In the Search Results pane, click All files and folders under Search Companion.

  3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.

  4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.

     Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.

  5. On the General tab, determine the modified date of the file that is installed on your computer by comparing it to the modified date that is documented in the appropriate file information table. The files in this package do not have version numbers. prompt:

     Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a recommended method of verifying that the update has been applied. However the files updated for this security patch do not contain file version information so using file attributes information used to verify the update is a detection mechanisms. In certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

• Aviv Raff of Finjan for reporting the Windows Vista Contacts Gadget Remote Code Execution Vulnerability (CVE-2007-3032)
• Aviv Raff, working with iDefense Labs, for reporting the Windows Vista Feed Headlines Gadget Remote Code Execution Vulnerability (CVE-2007-3033)

Support

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

• V1.0 (August 14, 2007): Bulletin published.

Built at 2014-04-18T13:49:36Z-07:00