News

Microsoft Releases Six Critical Patches

For the February security bulletin release, Microsoft rolled out six "Critical" fixes -- rather than the seven detailed in the advanced notice -- and five "Important" items.

This month's 11 patches -- said to fix 17 total bugs -- are the most Windows IT pros have seen since August, and with a greater variation of vulnerability plugs than at any time in the last 12 months, according to security experts.

"After several slow Patch Tuesdays, administrators are faced with the most patches they've seen in a year," said Paul Zimski, senior director of market strategy at Scottsdale, Ariz.-based Lumension Security. "Because so many critical patches affect so many applications -- including Office, Internet Explorer and the operating systems themselves -- these are widespread enough to have a bigger effect and they are going to require the utmost attention and energy."

Moreover, Zimski added, with many remote code execution (RCE) flaws that don't require end user consent, the potential for malware, botnets and rootkits is rampant.

The first critical issue is said to solve what Redmond said was a "privately reported vulnerability" in the Web-based Distributed Authoring and Versioning Mini-Redirector, or WebDAV Mini-Redirector. WebDAV, which enables users to manage Web files on remote servers, is a set of extensions of hypertext protocol most commonly known as "http:." This RCE implication constitutes a hacker’s dream in a scenario where attackers can get in and take complete control of a system, manage and edit files and create new accounts with elevated user rights. The issue affects all Windows OS versions with the exception of Windows 2000 SP4.

Critical patch No. 2 also resolves an internally reported hole. It's designed to thwart attacks on Object Linking and Embedding (OLE) Automation, which is a proprietary software feature from Redmond that allows linking to documents, data and other objects on the Windows Component Object Model. For developers, it serves as a way to customize user interfaces. With a specially crafted Web page, an attacker could execute malicious code through OLE but the vulnerability would only really be damaging if it were to affect user workstations that have administrative profile parameters. The fix is for Windows, Office and Visual Basic programs on all OS versions, although only Windows 2000 SP4 and all editions of XP and Vista were labeled as "critical."

Yet another private vulnerability plug is designed to block bad code embedded in specially crafted Word documents. A user could send a Word file, get it opened by an unsuspecting user, and then gain access, going willy-nilly. The vulnerability mainly affects Office SP3, Office XP SP3 and Office 2003 SP2.

The popular browser Internet Explorer was late last year plagued with problems, and now the fourth critical bulletin will hopefully address most of those issues. Specifically, Redmond says this cumulative patch addresses three private bugs and one publicly reported one. Although these fixes -- affecting all versions of IE up to and including IE 7 for Vista -- are yet to be specified, once that patch is installed what's fixed and not fixed will come out in the rinse, security experts contend.

"These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited since it's obvious they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected e-mail attachments or following Web links from unknown sources," said Ben Greenbaum, senior research manager for Symantec Security Response.

Meanwhile, the fifth critical bulletin affects Microsoft Office Publisher versions 2000 to 2003 and Office XP SP3. The patch resolves two privately reported vulnerabilities in Office Publisher that could allow remote code execution through a specially crafted Publisher file. One such example is an e-mail newsletter than an end user probably shouldn't be opening in the first place.

The last critical issue affects the whole Office suite of applications, most specifically Office 2000 SP3. Office XP SP3, Office 2003 SP2 and Office 2004 for Mac are all noted as "important" in regard to this patch.

While the critical issues will certainly keep a technologist's hands full, there are also five so-called "important" bulletins in this month's rollout.

The first one resolves a privately reported hole that can be exploited during ramp-up of Active Directory on Windows 2000 Server, Windows Server 2003 and Active Directory Application Mode, particularly when installed on Windows XP Professional and Windows Server 2003. This is a denial-of-service exploit where a hacker simply shuts administrators out of the systems, creating outages, work stoppages and other interruptions. On Windows Server 2003 and XP, however, the hacker would need inside information, such as local log-on credentials.

The second fix addresses Transmission Control and Internet Protocol processing, more commonly known as TCP/IP. It's a privately reported vulnerability where hackers could force automatic restarts on a looped basis.

The third and fourth important patches affect Windows Internet Information Services (IIS) and are poised to stop elevation of privilege and RCE exploits, respectively. In the first case, the attacker would most likely need to have local credentials. Meanwhile, the second one is remote and deals with ASP Web page inputs where an attacker could take control of the IIS server by way of the Worker Process Identity program, which is preset with network admin account privilege defaults -- candy for a hacker.

The third patch affects every OS and Windows Server version with the exception of Vista SP1 and the new Windows Server 2008, while the fourth covers XP professional SP2 including the 64-bit editions and all Windows Server 2003 editions.

Security admins should give these two a close look, according to observers.

"The two important patches for IIS warrant attention because Web servers are prime targets compared to an endpoint, and this is definitely not something that you want to be vulnerable," said Lumension's Zimski.

The last of the bunch is an RCE bug unleashed via specially crafted Microsoft Works or .WPS files with an affected version of Office, Microsoft Works or Microsoft Works Suite. The bulletin synopsis says the bug it fixes is more common on Office 2003 SP2 and SP3, as well as Microsoft Works 8.0 and Microsoft Works Suite 2005.

After the sweat is wiped from the brows of those ingesting all this, IT pros should know that of the 11 total bulletins, six will require restarts.

"There were a lot of interesting items," said Eric Schultze, chief technology officer at Shavlik Technologies in St. Paul, Minn. "It's going to be busy but I did notice they pulled the critical JScript\VBScript patch that they had planned. No indication from Microsoft as to why -- probably related to last-minute testing failures. Client-side attack vectors will continue, malicious files and Web pages, it's starting to get ho-hum boring. There'll be lots of work, nonetheless."

As a reminder, Microsoft is pushing IE 7 via WSUS automatic update starting today.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.