News

Microsoft Pulls One Fix From 'Patch Tuesday'

Microsoft rolled out six security bulletins on its "Patch Tuesday" today, one fewer than expected.

• By Jabulani Leffall
• 10/09/2007

There are four "Critical" patches, which are all new fixes in the respect that they weren't previously known by the public. Further, instead of three, there are now just two patches that Redmond deemed "important."

One important patch mentioned in the advance notice but dropped from the release would have dealt with potential spoofing attacks, in which disguised malicious agents could enter the system under false pretenses. Also, one of the "important" patches dealing with denial-of-service (DoS) risks in every OS version should really be labeled "important-plus." Meaning slightly less than critical, but far more important than indicated.

Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, says this latest slate of patches validates ongoing concerns about the security integrity of Vista. It also reveals what he calls a "preponderance" of continued vulnerabilities across myriad Windows product offerings to attacks from malicious Web pages.

"I don't think Microsoft is getting the protection they hoped they would have had in Vista and it's starting to show," Schultze said. "We're also continuing to see client-side vulnerabilities coming from potential Internet threats."

The critical patches affect Kodak Image Viewer, Outlook Express and Windows Mail, Internet Explorer and Microsoft Word, respectively. They all have remote code execution (RCE) implications, an ongoing concern that security admins should keep an eye on, Schultze added. Microsoft suggests using baseline security analyzer to discover the threats.

The first critical issue involves Kodak Image Viewer, formerly known as Wang Image Viewer. Attackers could remotely execute code with the use of what Microsoft calls "specifically crafted images files." The fix is critical for both service packs of Windows 2003, as well as Windows 2000 SP4 and XP SP2.

The second critical security update addresses what might happen in Outlook Express and Windows Mail, if a post on a discussion thread, e-mail, article or blog entry sent via Network News Transfer Protocol (NNTP) is either maliciously uploaded or "incorrectly handled and malformed." Microsoft said an attacker could exploit the vulnerability by constructing a specially crafted Web page that could piggyback "newsreader" applications right onto an unsuspecting news server, which is usually installed on internal networks. The patch is especially critical as problems with NNTP can actually cause a security leak in the firewall, eating it away from within.

The third critical patch affects IE going back to version 5. The cumulative IE security tweak remedies three potential vulnerabilities by either refreshing and/or erasing Hypertext Transfer Protocol (HTTP) footprints that could otherwise dump malicious code onto the system. This patch closes a fourth hole by modifying the script errors on HTML pages, effectively sweeping away garbled or potentially malevolent code.

The last critical patch guards against RCE attacks that may occur through "specially crafted" Microsoft Word files. Affected programs include Word 2000 SP3, Word 2003 SP3 and Word 2004 for Mac. Word 2007 isn't affected.

"It's not so much a threat from the Internet that's a problem here but something that could happen internally, as you're not going to open a Word file from someone you don't know," said Schultze. "But you'd be amazed what one could achieve by just putting a document marked 'salaries' on the shared drive. People would open it and there is your entry point right there."

While the four critical patches are serious, out of all the patches released this month, perhaps the most intriguing and far-reaching one deals with DoS attacks. These are attempts to make IT resources unavailable to users affects nearly every OS version.

This "important-plus," patch, as Schultze and others have described it, would keep at bay an anonymous attacker looking to exploit vulnerabilities by sending specially crafted remote procedure calls or remote invocation authentication requests to a computer over the network. Microsoft said an attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

"This is something I might patch first, even above the criticals," Schultze said. "This is the most interesting thing this month. If I'm a disgruntled employee I can send packets that would take computers offline and if I take out corporate exchange servers, I can shut workstations down, lock people out and do it again after reboot."

Schultze said this patch is particularly significant as he expects an exploit for this vulnerability to be published within a week.

The last patch of the bunch, is a zero-day patch for all versions of SharePoint services. If left vulnerable, an attacker could gain elevated privileges on a machine and run scripts that could compromise anything from a single workstation to the entire network. The patch modifies the validation criteria for URL-encoded requests.

Rounding out the release, Redmond unveiled its monthly update to the Microsoft Windows Malicious Software Removal tool, as well as three non-security, high-priority updates on Microsoft Update and Windows Server Update Services; and one non-security, high-priority update for Windows on Windows Update.

There is a lot to consider this month for IT pros as half of the six bulletins -- two of the critical and one of the important items -- will require restarts. Moreover, although the "important- plus" patch for all OSes is not critical, the risks are.