Microsoft Patches 10 Bugs, Omits Word Fixes
January's security bulletins were half the number original expected, as on Friday Microsoft changed its mind and pared the number from eight to four without an explanation. Of the updates, three involve Microsoft's Office suite, while the fourth affects Internet Explorer, the developer's oft-patched Web browser.
The most dangerous bugs, says Amol Sarwate, manager of Qualys' vulnerability lab, is patched by MS07-003, which affects Microsoft Outlook, the e-mail client packaged with Office. The update fixes three flaws, one tagged critical. "It addresses one zero-day [vulnerability] that had already been made public," says Sarwate. "And it also fixes a calendar vulnerability. Meeting requests are common in day-to-day use and users could be expected to open the e-mail with a malformed request." Two of the three Outlook flaws could let an attacker hijack a PC running Outlook 2000, 2002, or 2003. The newest version, Outlook 2007, is immune to these vulnerabilities.
Lamar Bailey, operations manager of IBM Internet Security Systems' X-Force vulnerability research group, disagreed with Sarwate, and put MS07-004 at the top of the must-patch-now list.
The vulnerability is being exploited in the wild, Bailey said as explanation, "and there have been two remote code execution exploits of the VML engine in the past. It's obvious [the engine] has more issues."
MS07-004 fixes another bug in VML -- Vector Markup Language -- that is an extension of XML that defines Web images in vector graphics format. In September 2006, Microsoft went out-of-cycle for just the second time in the year to quickly patch a different VML vulnerability. Like that earlier flaw, this one can be exploited without any user action. "Just going to someone's Web site is all it takes," says Bailey.
"We're giving the same advice as in September, to unregister the DLL," Bailey says. "VML isn't used very often, so you won't miss it." In a 2006 advisory, ISS recommended that users enter this command in Windows' Run field, then reboot the PC:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
However, unlike the 2006 fix, MS07-004 includes patches for Internet Explorer 7, the updated browser Microsoft has touted as much more secure than earlier editions. IE 5.01, 6.0, and 7 must be patched on Windows 2000 and Windows XP. Microsoft gave no indication, however, whether IE 7 on Vista requires a similar fix. "Second-worst" on Bailey's list is MS07-002, but the call seems close. "The Outlook iCalendar issue could result in an automatically propagating e-mail worm," Bailey says. "Various wormable vulnerabilities that were disclosed in Microsoft products last year haven't resulted in outbreaks so far [and] we hope this trend continues.
"We don't rate this as high as the VML issue right now because MS07-004 is being exploited in the wild as we speak, whereas iCalendar is not. But it's [only] a matter of time before that happens," Bailey says.
Chris Andrew, the VP of security technologies at patch management vendor PatchLink, took a different approach and recommended users and enterprises put equal emphasis on fixing MS07-003, MS007-004, and MS07-002. "They should all be patched relatively quickly," says Andrew. "There are five [vulnerabilities] in MS07-002, and that ain't a good sign. The wise thing to do would be to get them all rolled out at the same time."
MS07-002 contains the most fixes -- five, all critical -- and patches all versions of Microsoft's Excel spreadsheet from Excel 2000 on, including those that are part of the Office 2004 for Mac and Office v.X for Mac suites. Interestingly, it replaces a similar update first issued in October that had to be re-released in December 2006. The Excel bugs could be used by attackers to create malformed spreadsheet files that, if opened -- they might be packed as attachments to a spoofed e-mail or added to malicious Web sites and touted as worthwhile downloads -- would let criminals inject other malware into the PC or Mac.
Hackers used other flaws in Excel -- patched in the summer of 2006 -- as well as comparable bugs in PowerPoint and Word to launch targeted attacks against specific companies or organizations. Many of these attacks were traced to China, and were aimed at, among others, public utility companies in the U.S.
"These are quite dangerous, and yes, they're similar to the vulnerabilities [of this summer]," says Steve Fossen, manger of anti-virus research at security vendor Fortinet. One of the Excel bugs was discovered by Jie Ma, a Fortinet researcher, and reported to Microsoft in mid-August 2006.
The fourth update, MS07-001, is ranked as "important," Microsoft's second-highest threat rating, but affects only Brazilian Portuguese or Spanish language versions of Microsoft Word.
Although none of the researchers would share any inside information on what fixes Microsoft may have dropped from Tuesday's releases when it halved the list, both Sarwate and Bailey noted one omission: patches for the trio of Microsoft Word bugs that already are being exploited.
"I'm kind of surprised," says Bailey, "since they're being exploited in the wild."
Sarwate agrees. "Because there are three zero-day [Word vulnerabilities], there's a good chance we'll see an out-of-band release this month."