News

Microsoft Releases Two Patches

Microsoft kicked off 2008 with two patches -- one "Critical," one "Important."

Although the release is light, security experts call the rollout an intriguing mix of both server- and client-side concerns.

Redmond said the critical update resolves two privately reported vulnerabilities in TCP/IP processing.

The patch is designed to deflect remote code execution exploits that use the multicast function for delivering information packages as an attack vector. Multicast sends network activity information to a group of destinations throughout an enterprise processing environment.

While this attack avenue is usually blocked by firewalls, security expert Eric Schultze warned that hackers may exploit the vulnerability via Local Area Networks or LANs.

"A larger concern is attacks on the local area network -- assuming that multicast has been enabled on the LAN machines," said Schultze, chief technology officer for St. Paul, Minn.-based Shavlik Technologies. "I would get this issue patched as soon as possible, as prior experiences have shown that remote IP-based attacks causing denial of service, or worse, can be detrimental to the target network."

The issue affects Microsoft Windows 2000 Service Pack 4, Windows XP, Windows Server 2003 and all versions of Vista.

Meanwhile, the Important bulletin deals with local or client-side elevation of privilege. The software giant said the update resolves a privately reported vulnerability in the Windows Local Security Authority Subsystem Service (LSASS). Using LSASS, an in-house user or administrator would need access to a machine to upgrade or increase entry and command parameters on the system and garner superuser privileges.

Many observers such as Schultze have an issue with the way Microsoft describes the security implications of this issue, which affects Windows 2000 SP4, XP and Windows 2003.

"In the bulletin, Microsoft says 'An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.' This isn't true," said Schultze. "The code simply has to execute locally on the system in question -- the attacker doesn't need credentials to that system in order to exploit it."

Specifically, Schultze and others stress that in this instance an attacker wouldn't need local authentication because someone with malicious intent can get a user to unknowingly download and execute the evil payload, resulting in complete compromise.

This is a case where the code can be executed locally without the attacker needing any credentials.

Both updates will require a restart; administrators can run Baseline Security Analyzer to detect whether workstations require these updates.

Redmond also released five nonsecurity updates on Microsoft Update and Windows Server Update Services as well as two nonsecurity, high-priority updates for Windows and Windows Update Server Update Services.

The latest version of the Windows Malicious Software Removal Tool is also included. Based on the vulnerabilities involved, this is an important rollout that shouldn't be taken lightly despite the low patch count.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.