Yesterday, July 10, Microsoft released six security bulletins in the July 2007 patch release. One critical update is a hefty 30MB in size.
The question and answer period of the July 11 Microsoft patch discussion Webcast drilled in on the .Net focused bulletin, MS07-040. The primary attack vector, according to Microsoft personnel, is via the Web using crafted HTML e-mail messages or a Web site that contained the attack code.
In either case the user would need to take a simple action-navigate to a site and follow links in an e-mail or instant message to allow remote code execution on client systems with the .Net framework installed. According to Microsoft, all supported versions of Outlook and Outlook Express open HTML e-mails in the restricted rights zone by default, which mitigates the risk of attacks and prevents Active Scripting and ActiveX controls from being used when reading HTML e-mail. System and desktop managers who need to install this critical patch should perhaps look up the network staff to discuss a deployment strategy, since the patch is 30MB. Advising network administrators and even users about the size of this critical update will likely reduce the number of complaints and calls when the patch is installed.