Microsoft Issues Three Critical Security Bulletins
"It's an interesting reversal of the trend," said Mike Murray the director of research at vulnerability management vendor nCircle. "Last month I said it had been a while since we've seen server side, remotely-exploitable vulnerabilities, and now this month five out of the six [bulletins] don't require any user interaction [to be exploited]."
Even so, Murray didn't expect August's disclosures to lead to a major worm on the level of Slammer or MSBlast. "I don't see that here.
"The day's overall severity threat level is unknown at the moment -- we've only had 45 minutes to look at these -- so I think it's going to come down to which is easiest to exploit."
Both Murray and another analyst, Neel Mehta, the team leader for Atlanta-based Internet Security Systems' (ISS) X-Force research group, touted two of the three critical bulletins as patch-now problems, especially for users running Windows 2000 desktops or servers.
One of the pair, MS05-039, closes a hole in Windows' Plug and Play, the technology that automatically recognizes new hardware and installs the appropriate drivers. Windows 2000 is the most at risk here -- an anonymous user can simply send a vulnerable PC a specially-crafted message to grab complete control -- but attacks can also be made against Windows XP and Windows Server 2003 machines.
Mehta was the researcher who first reported the Plug and Play problem to Microsoft in March. "I still think it's the most serious and the easiest to exploit," he said, "because it's a stack-based overflow vulnerability. We're very concerned that this could be exploited as part of a worm.
"Windows 2000 users are really at risk, and should patch immediately," said Mehta.
The other bulletin highlighted by Mehta and Murray was MS05-043, which stymies a vulnerability in the print spooler of Windows 2000, Windows XP, and Windows Server 2003. The flaw can be used by an attacker to snatch full control of the system. Like MS05-039, this bug affects some versions of the OS more than others: Microsoft identified Windows 2000 and Windows XP SP1 as most at risk. Those two OSes can be attacked by an anonymous user simply by sending the machine a specially-crafted message; Windows XP SP2 and Windows Server 2003 can be similarly attacked, but only by authenticated users. If users can't patch, Microsoft advised disabling the print spooler. That, however, has the side effect of preventing printing either locally or to a network printer.
"I'd put equal severity on both [039 and 043]," said Murray. "Heap-based overflow vulnerabilities like the one in the print spooler are pretty well understood by hackers," he argued.
Mehta and Murray were also in agreement on the final critical bulletin, MS05-038, yet another update to the company's problem-plagued Internet Explorer browser. Both pulled out one of the three vulnerabilities in that bulletin as particularly important to patch.
IE can be attacked via a malformed .jpg image file, either by enticing users to malicious Web sites or by sending them malformed images as file attachments to e-mail, then getting them to open the files.
This isn't the first time IE, or other browsers for that matter, have been tagged with image processing vulnerabilities. Each analyst offered a slightly different take on why that was so.
"Image files are incredibly complex," said Mehta.
Murray wasn't as forgiving. "Developers just aren't writing browser with security in mind. They're writing functional software for functional purposes, but they're not considering security."
Browser security is at the point where Web server software security was three years ago, added Murray. In other words, dismal. "Now you don't see as many vulnerabilities in Web servers; maybe in two or three years we can say the same about browsers.
"I think it's just going to be a matter of letting all that bad code out by finding vulnerabilities like this one, and then patching them," said Murray.
Of the three remaining new bulletins issued Tuesday, one is labeled as important, the others as only moderate, the second-lowest rating in Microsoft's four-step system.
The most significant of the trio is MS05-041, because it fixes the flaw in Windows' Remote Desktop module. That bug has been heavily publicized both in the press and amongst security researchers, in part because it became known just after July's batch of patches was released. In mid-July, Microsoft issued one of its rare security advisories, which led most analysts to figure on a patch rolling out Tuesday.
Microsoft continued to downplay the bug, saying exploits would only result in a denial-of-service (DoS) attack that would crash the target PC, not open it for additional attack or give the hacker control. Previously, some third-party security analysts had been unsure whether the bug had the potential to create a buffer overflow, a prerequisite for the most dangerous types of attacks. By Tuesday, however, those experts, having had more time to analyze the bug, confirmed Microsoft's take.
"It doesn't have any potential for buffer overflow," said Mehta.
Microsoft also released bulletins dealing with bugs in Windows' Telephony Application Programming Interface service and the Kerberos and PKINIT protocols. It also re-released updated versions of two earlier bulletins, MS05-023 and MS05-032, which debuted in April and June of this year, respectively.
August's patches can be downloaded using the Microsoft Update service, or from the Redmond, Wash.-based developer's main security Web site.