Three of the bulletins were tagged as "critical," one as "important," and the fifth as "moderate"--the last being Microsoft's second-from-the-bottom alert.

Gregg Keizer, Contributor

April 11, 2006

4 Min Read

Microsoft Tuesday released five security bulletins that patched 14 different vulnerabilities, including an awaited fix for Internet Explorer, the browser which has been victimized for weeks by multiple exploits installing adware, spyware, and keyloggers on users' PCs.

Three of the bulletins were tagged as "critical," one as "important," and the fifth as "moderate;" that last is Microsoft's second-from-the-bottom alert.

However, the majority of the 14 bugs in the 5 bulletins were labeled "critical" by the Redmond, Wash. developer, meaning that they should be patched as soon as possible. Of the 9 critical flaws, 7 relate to the MS06-013 security bulletin, a massive update for Internet Explorer 5.0 and 6.0 (but not, apparently, the Beta 2 Preview of IE 7).

Still, said one analyst, the bugs aren't anything out of the ordinary.

"It's the same sort of thing we get every month," said Mike Murray, director of research at vulnerability management vendor nCircle. "There's not really anything that's surprising here."

Another security expert agreed. "The createTextRange vulnerability [patched in MS06-013] is significant, but only because of the publicity and hype it's received," said Jonathan Bitle, a product manager with vulnerability management software maker Qualys.

createTextRange was the name given to an IE bug discovered three weeks ago, and quickly exploited by several hundred malicious Web sites to secretly download spyware, adware, and other malicious programs on users' machines.

Of the remaining 9 bugs fixed in MS06-013, 2 had been made public previously; however, although proof-of-concept code was in the wild, Microsoft claimed that no active exploits were circulating.

"It's hard to be surprised anymore by IE vulnerabilities," said nCircle's Murray.

Among the newly-revealed flaws was one dubbed "Address Bar Spoofing Vulnerability." However, it is not a fix for the bug noted by Danish vulnerability tracker Secunia last week, but instead is an entirely different -- and previously undisclosed -- potential phishing exploit.

Two other bulletins were judged "critical" by Microsoft: MS06-015, which Symantec dubbed "Windows XP Self-Executing Folder Vulnerability," and MS06-014, which affects Windows MDAC (Microsoft Data Access Components), those parts of the operating system used to access SQL databases. Both flaws can be exploited by attackers who could take complete control of a PC if they could lure users to malicious sites or get them to open e-mail attachments.

"Both of these are in the same sort of category as the IE vulnerabilities," said Murray. "Both could be used in the kind of user-interaction scenarios we've been seeing for some time.

"When you're talking about user interaction vulnerabilities, whether it’s a shell bug [MS06-015] or in MDAC [MS06-014], it's all about the same," Murray added.

The fourth and fifth bulletins unveiled Tuesday impact Outlook Express, the free e-mail client bundled with Windows ( MS06-016) and Microsoft Office's FrontPage Web design application ( MS06-017). The former was labeled "important," the latter "moderate" by Microsoft.

A large number of the vulnerabilities disclosed Tuesday must be patched even by those running Microsoft's most-current operating system, Windows XP SP2, which debuted over two years ago and has been heralded by many as much more secure.

"We are seeing more vulnerabilities for SP2," admitted Murray, "but what we're not seeing are remote vulnerabilities. All the vuls we're seeing require you to click on something or download something. What SP2 did is eliminate those remote vulnerabilities."

Qualys' Bitle seconded that.

"There's no more of what I call 'outside-in' threats," he said. "Instead, it's all 'inside-out' since SP2 was released. Firewalls and perimeter defenses can't stop users from visiting malicious sites."

Both were hopeful, Murray more so, that the upcoming Windows Vista and IE 7 would continue the trend toward locking down the operating system and making it more difficult for users to blithely surf to suspicious sites.

"Look at the vulnerabilities," urged Murray. "There are not that many that affect Windows [Server] 2003. That's because it's locking down the browser more.

"Microsoft is doing the right things to mitigate problems as time goes on. With Vista and IE 7, the OS and browser will be more locked down. Then attacks will turn to e-mail clients.

"And then we'll have to lock them down more."

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights