Microsoft patches 12 vulnerabilities
Gregg Keizer
|
Jun 15, 2005 9:25 AM
Microsoft this week rolled out 10 security bulletins for 12 vulnerabilities and used its revamped update services and tools in the monthly patch batch.
Microsoft this week rolled out 10 security bulletins for 12 vulnerabilities and used its revamped update services and tools in the monthly patch batch.
Three of 12 vulnerabilities were marked as "Critical", Microsoft's most serious alert level in its four-step warning system. All three affected OS components or flaws in Internet Explorer had been patched many times in the past.
Microsoft said bulletins marked as MS05-025, 026, and 027 were "Critical" vulnerabilities. They affected Internet Explorer; the HTML help system in Windows 2000, XP and Server 2003, and the Server Message Block (SMB) protocol in Windows 2000, XP, and Server 2003.
"All three of these services have been patched in the past," said Mike Murray, the director of research at vulnerability management vendor nCircle.
"In fact, one of the IE vulnerabilities, the XML redirection vulnerability, is just a new variant of an older vulnerability."
Murray rejected the idea that Microsoft had a quality control problem. Instead, he laid the blame at the feet of smart vulnerability researchers and hackers.
"There are some clever people figuring out previous patches, and then saying 'if I did X and Y, I could get around that patch'," said Murray.
Microsoft security program manager Stephen Toulouse agreed. "It's more a matter of the focus that researchers bring to it [that decides which vulnerabilities get found,]" he said.
"One of the things that we do when we receive a report from a researcher is actually do code reviews to see, for instance, how the affected code interoperates. In these cases, the vulnerabilities were just different enough [from prior vulnerabilities] that they weren't caught in those earlier code reviews."
The vulnerability with the potential to wreak the most havoc, said Murray and others, was MS05-027, the flaw in SMB, the protocol that Windows uses to share files, printers, and serial ports and to communicate between computers.
Similar to, but not a repeat of a bulletin released in February, 027 could be exploited by a worm like, say, MSBlast, he said.
"If you read the bulletin, it doesn't say anything about authentication," said Murray. "Does an attacker need to have a valid log-in username and password? If not, and it doesn't require authentication, that means anyone can break into the box."
Microsoft's Toulouse said the SMB vulnerability didn't require authentication, but stressed that the most likely result of an attack would be a less dangerous denial-of-service.
"Even so, we're erring on the side of caution, and rating this as 'Critical' because of the theoretical potential."
nCircle's Murray took the word "theoretical" with a grain of salt. "If there's a way to exploit a vulnerability, hackers will do it," he said.
"This is definitely serious. It's the only vulnerability of the bunch that could be exploited by a large-scale network worm," Murray said.
But he also hedged his bets, perhaps because a similar call in February was quickly proved wrong after additional analysis. "We'll know more in the next six hours or so, as we examine the vulnerability."
Other analysts also tagged MS05-027 as the one to watch. Neel Mehta, a team leader with Internet Security Systems' X-Force security research group, named it as his number one threat "because of its scope and the fact that user authentication's not required, nor user interaction."
Writing an exploit for the SMB bug won't be easy -- Mehta called it "fairly challenging" -- but he said it wouldn't be long, perhaps within the week, that an exploit appeared. "It's actually more potentially dangerous than the February vulnerability in SMB," he added. "We're going to be tracking this carefully."
Windows XP SP2 users who have left the by-default-enabled Windows Firewall in place are protected to some extent, said several of the researchers interviewed, since it automatically blocks the external ports used by the SMB service.
"But if someone has disabled the firewall, or has turned file sharing on," Mehta explained, "they could be hit."
It was the other two Critical bulletins -- one that fixes flaws in how IE processes PNG (Portable Network Graphics) image files, another in Windows' HTML Help -- that got the attention of another researcher, Alfred Huger, vice president of engineering for Symantec's security response team.
"I think 025 and 026 are the ones I found the most alarming," said Huger. "Both the PNG and HTML vulnerabilities are dangerous because they can affect so many end targets."
Anyone with an unpatched IE application was at risk. "And we've seen how fast phishers and rogue websites are in picking up on graphics vulnerabilities."
Like Mehta, Huger expects to see vulnerabilities soon. "There will be [PNG] exploits within the week," he said.
A remaining seven bulletins, which detail and patch four vulnerabilities marked as "Important" and four labeled "Moderate", covered various applications, including Outlook Web Access on the aging Exchange Server 5.5 to Microsoft Internet Security and Acceleration (ISA) Server 2000.
Patches can be downloaded using the new Microsoft Update service or, for enterprises, the just-released Windows Server Update Services.
Those services, said Microsoft's Toulouse, were "working just fine" this week in their debut.