No Surprises in Last Patch Tuesday for 2007
- By Jabulani Leffall
The last Patch Tuesday of the year is a busy one as Microsoft released seven
security bulletins -- three "Critical," and four "Important."
Security experts say that the latest release -- which deals with potential
remote code execution and elevation of user privilege holes -- cements 2007
as the year of the "client-side" vulnerabilities and could make 2008 the year
of the "Vista patch."
"What Microsoft did right this year was getting their patches out in a timely
manner for client-side vulnerabilities," said Eric Schultze, chief technology
officer of St. Paul, Minn.-based Shavlik Technologies. "What they did wrong
was to laud Vista as the security cure-all, a big mistake considering what we're
Indeed, security experts identified eight distinct vulnerabilities this month that all affect Vista; five of the seven patches in the bulletin deal with potential vulnerabilities in the new OS.
The three critical bulletins all relate to remote code execution, a recurring theme throughout this year with each patch release.
The first critical issue is said to close the book on two privately reported
vulnerabilities in Microsoft DirectX, a cluster of streaming media application
programming interfaces in all versions of Windows. Microsoft said vulnerabilities
could allow code execution if a user opened a specially crafted streaming media
file in DirectX.
For instance, an attacker exploiting this vulnerability could commandeer the
system from a user who is logged on with administrative rights. The attacker
could subsequently have carte blanche in installing programs viewing, updating,
altering or deleting data -- even creating new user accounts with "superuser"
The second item in the critical area is akin to the first patch in that it
deals with Windows Media Runtime components. This update, like the first one,
also resolves a privately reported vulnerability in Windows Media Format. This
vulnerability could allow remote code execution if a user viewed a specially
crafted file in Windows Media Format Runtime. Redmond said users with fewer
rights will likely be less impacted than those with administrative access rights.
The first two patches are timely -- exploit code had been released last Saturday that seizes upon a hole in a flawed MP4 codec used on both Windows Media Player and Windows Media Player Classic.
The last critical patch should raise the most eyebrows among security administrators, as it constitutes a cumulative update of Internet Explorer.
Redmond said the patch covers at least four privately reported holes in the application and that the most serious security impact could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
What's missing from this cumulative patch is a specific fix for Web Proxy Automatic Discovery program vulnerabilities as described in the software giant's security advisory released last week. Observers say Microsoft probably couldn't resolve that issue in time for the December patch release.
Furthermore, some security experts are concerned about the ongoing client-side
vulnerabilities in Windows applications. With the growth of Internet file sharing,
said Ben Greenbaum, senior research manager at Symantec Security Response, hackers
can share exploit code with the world under the guise of a video file of the
latest YouTube craze.
"The sheer number of vulnerabilities this month that affect Windows Vista is
a concern," Greenbaum said. "The more alarming vulnerabilities are those in
Windows Media Format Runtime and Internet Explorer, since a successful exploit
could occur when a user visits a malicious Web page or when viewing a malicious
e-mail. Neither issue requires any further interaction by the victim to exploit,
compounding the problem."
Meanwhile, all of the four important fixes, split between RCE exploits and elevation of rights attacks, pertain to Windows OSes -- either XP and/or Vista. With elevation of privilege at the OS level, a hacker can get around access controls by increasing entry and command parameters on the system, thus changing the rights profile and becoming a "superuser."
The first important patch affects Vista and Vista x64 versions and is actually
the result of new code written to target those specific versions. The patch
covers Server Message Block Version 2 (SMBv2) which, in most cases, operates
as an application-based network protocol, with utility in areas of shared access
such as printer settings, serial ports and community hard drives.
Redmond said vulnerabilities in SMBv2 can allow an attacker to tamper with
data transferred via the SMB protocol, which would foster remote code execution
in domain configurations that communicate via the protocol itself.
The second important patch affects Windows Server 2000 Service Pack 4 and XP
SP3 and remedies a privately reported vulnerability in the Message Queuing Service
(MSMQ) that could allow remote code execution in OS or application implementations
on Windows 2000 Server. Also, it could allow for elevation of privilege in the
same such implementations on Windows 2000 Professional and Windows XP. However,
Redmond said that attackers would have to have "valid log-on credentials to
exploit this vulnerability."
The third important stopgap in the form of a patch prevents elevation of privilege execution in all versions of Vista. Exploiting a vulnerability in the Windows Vista kernel, an attacker could take complete control of an affected system.
The last of the important fixes patches up holes that could allow for local or client-side elevation of privilege on all versions of XP and every version of Windows Server 2003 except Itanium-based systems. This update takes care of a publicly disclosed vulnerability, where the Macrovision driver incorrectly handles configuration parameters and could be used by a hacker to take over the whole system.
As usual, Microsoft Baseline Security Analyzer can be put in play by IT pros to sweep the system and determine if an individual update is needed. Five of the seven patches will require a restart, with the caveat from Redmond that the remaining two may require restarts in "certain situations."
Microsoft also plans to release six nonsecurity, high-priority updates on Microsoft Update and one nonsecurity, high-priority update for Windows on Windows Update.
Lastly, what would Patch Tuesday be without a new version of the Microsoft Windows Malicious Software Removal Tool, which Redmond releases every month?
"What this last release of the year proves is that security is not a one-off
thing that you can brand in the way you would laud other features," said Symantec's
Greenbaum. "Security is an ongoing process, with different goals at different
times, and is constantly changing."
In the wake of the release, IT pros in the Windows enterprise space will have
a veritable stocking stuffer of issues to consider in what may be a hectic lead
time ahead of the holiday break.
Schultze of Shavlik Technologies predicts that 2008 might be the "year
of the Vista patches" and says technologists and computer enthusiasts can expect
more client-side vulnerabilities in Windows products and services, particularly
as they relate to shared Web files.
"From what we've seen in the last sixth months, I'd expect one of two large server side issues too," he said. "They'll be similar to a slammer or a worm and may come about by June. [We] haven't had those in a while and we're probably due for it."
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.