Microsoft Releases 7 Patches for Windows, IE, Visual Studio Flaws
- By Stephen Swoyer
Microsoft Corp. today announced a bevy of patches -- seven, in all -- that address vulnerabilities in its Visual Studio IDE and Windows operating environments.
Microsoft identified "critical" vulnerabilities in Visual Studio 2005, Internet Explorer versions 5.01 and 6, and in its ASF and ASX Windows Media File formats. Attackers can exploit any of these vulnerabilities to remotely run code on -- and also gain control of -- affected computers.
The other patches released today are rated "important."
Significantly, the company did not patch two Word flaws for which known exploits already exist.
Visual Studio Fix
Codejockeys take heed: Attackers who successfully exploit a WMI Object Broker vulnerability in Visual Studio 2005 could take control of your systems, Microsoft warned. There are a few caveats, of course: Any would-be attacker would have to craft a specific Web page (complete with malicious WMI calls) and entice unsuspecting users to visit it -- typically by embedding a link in an e-mail.
The vulnerability affects several different versions of Visual Studio 2005. A complete listing can be found here.
If users don't have wmiscriptutils.dll on their systems, they aren't vulnerable, Microsoft says. Similarly, users who are running Internet Explorer 7 with its default settings enabled are also protected, to a degree: the WMI Object Broker control must first be activated (via the ActiveX opt-in feature in the Internet Zone) in order to exploit the vulnerability. There's a caveat here, too, however: Users who enabled WMI Object Broker in previous versions of Internet Explorer prior to upgrading to Internet Explorer 7.0 are vulnerable, Microsoft cautioned.
Finally, users who are running Internet Explorer on Windows Server 2003 are also enjoy some measure of protection. Internet Explorer's Enhanced Security Configuration disables Active X scripting by default.
Microsoft today also issued a cumulative patch that addresses at least four serious vulnerabilities in Internet Explorer versions 5.01 and 6. The vulnerabilities -- which are susceptible to memory corruption and information disclosure exploits -- affect IE's script handling, DHTML scripting and Temporary Internet File features. At least two of them, a Script Error Handling Memory Corruption Error and a DHTML Script Function Memory Corruption Error, could allow attackers to execute code on -- and gain control over -- vulnerable systems.
All Windows versions running Internet Explorer 5.01 or 6.0 are affected by the vulnerability. Internet Explorer 7.0 is not affected, Microsoft said.
ASX and ASF
Microsoft also patched vulnerabilities in its ASX and ASF Windows Media File formats that could allow attackers to gain control over compromised systems. Both formats are susceptible to parsing vulnerabilities that can be exploited by attackers who create malicious ASX and ASF files. One possible attack involves embedding malicious ASX or ASF files in Web pages as content. An attacker could then entice users -- most likely via a link embedded in an e-mail message -- to visit a compromised site. And that's not all: Malicious ASX or ASF content can also be exposed as banner advertisements or embedded as e-mail attachments, Microsoft warned.
Affected systems include any Windows 2000 (all versions), Windows XP (all versions), and Windows Server 2003 (32- and 64-bit x86 codebases) running Windows Media Player 6.4 or versions 7.1 through 9.5 of the Windows Media Format Runtime. Windows Server 2003 for Itanium (all versions) and Windows Visa are not affected by these vulnerabilities, Microsoft said.
Media file format vulnerabilities are a sign of the times, according to Symantec Corp.'s Security Response service.
"[D]ue to the integration of various content-handling applications, such as media players, browsers are a viable attack vector for many client-side vulnerabilities," said Oliver Friedrichs, director of Symantec Security Response, in a statement. "Today's release from Microsoft reconfirms that client-side vulnerabilities are one of the most efficient and well known methods by which computers can become infected, therefore users are urged to install patches as soon as possible."
Other Windows Fixes
Microsoft also released patches that address:
- A flaw in the way in which Windows handles “file manifests.”
- An unchecked buffer in the Windows SNMP service.
- An insecure TFTP service that's enabled by default with Remote Installation Service (RMI) running on Windows 2000 Server.
- A cumulative update for Outlook Express.
The first vulnerability -- which stems from how the Client-Server Run-time Subsystem processes and manages file manifests -- is probably the most serious: it can lead to privilege elevation on affected systems. In some cases, Microsoft conceded, an attacker could gain complete control over an affected system. This vulnerability affects Windows XP (32-bit) and Windows Server 2003 (32-bit and Itanium-based) systems.
The second vulnerability -- a remote code exploit in Microsoft's SNMP Service -- is also limited in impact: the SNMP service is not installed by default in any supported version of Windows, Microsoft said.
Even so, Windows 2000, Windows XP Professional (all versions), and Windows Server 2003 (all versions) that have the Microsoft SNMP Service installed and running are affected. Windows Vista is not vulnerable.
The third vulnerability is another remote code exploit, this time specific to Windows 2000's RIS implementation. An anonymous attacker can exploit RIS' TFTP implementation (which does not require authentication) to upload malicious code to vulnerable RIS systems. When new systems are built which include the malicious code, an attacker could conceivably gain control over them.
Finally, Microsoft patched an unchecked buffer in the Windows Address Book feature that's included with Outlook Express versions 5.5 and 6. An attacker who successfully exploits this flaw could run code on -- and potentially gain complete control over --compromised systems, Microsoft warned.
To view the official notification on all today's patches, go here.
Stephen Swoyer is a contributing editor for Enterprise Systems. He can be reached at firstname.lastname@example.org.