Microsoft Patches Address Slew of Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Microsoft Patches Address Slew of Vulnerabilities

The company released its largest group of security patches in nearly a year. Among them is a vulnerability that one security vendor claims will likely lead to the biggest, baddest worm since mid-2003.

Microsoft Tuesday released its largest group of security patches in nearly a year as it posted 12 security bulletins encompassing 16 vulnerabilities, 10 of which it marked "Critical," its highest warning.

Among them is a vulnerability that will likely lead to the biggest, baddest worm since mid-2003, said Mike Murray, the director of research at vulnerability management vendor nCircle.

"There's a clear 'winner' here," said Murray. " MS05-011 fixes a vulnerability in SMB [Server Message Block], which is running on every version of Microsoft's operating systems that a corporation might be using. And it's exploitable remotely, so it doesn't rely on an e-mail or getting someone to a Web site. All the attacker has to do is send a properly-formatted packet and he'll break in.

"It's been a while since we've seen a vulnerability this widespread. This could easily lead to the biggest exploit in over a year," said Murray. "I'd put this in the same class as the vulnerability that led to [2003's] MSBlast. It's serious."

SMB is the standard protocol that Windows uses to share files, printers, and serial ports, and to communicate between computers, particularly between servers and client desktops. A specially-crafted SMB packet sent to a vulnerable PC could, said Microsoft, let an attacker "take complete control of the affected system."

The extent of February's regularly-scheduled patch release was expected, but still difficult to digest at first glance.

Nine of the bulletins impacted various versions of Windows to one extent or another, one each dealt with .Net Framework, SharePoint Services, Windows Media Player/MSN Messenger, and the perennial visitor to the patch process, Internet Explorer. Two revolved around Microsoft Office. (Some of those affecting Windows also affected other components, such as Office or SharePoint, the reason for the count difference.) More than half the bulletins tapped Windows XP Service Pack 2 (SP2) as vulnerable. SP2, Microsoft's massive security update that debuted in October, 2004, was then touted by the Redmond, Wash.-based developer as its biggest security-centric upgrade ever.

The eight bulletins and 10 vulnerabilities marked Critical could all be used by attackers to execute code remotely -- usually only after the user did something, such as visit a malicious Web site or click on a link within an e-mail -- or create a buffer overflow that could then be used to gain control of a machine.

Some of the fixes were more or less expected, said Murray, who noted that they corrected known, if not actually exploited, bugs. fit MS05-009, fit that bill, for it patched three vulnerabilities in Windows Media Player 9 and various versions of Microsoft's instant messenger against image-based exploits using PNG-formatted files. Another vulnerability in Media Player 10 and its implementation of digital rights management technologies, however, was not fixed in this month's round of patches.

MS05-012, on the other hand, affected an astonishing array -- 33 by our count -- of Microsoft's operating systems and applications, ranging from Windows XP SP2 to Office XP and Office 2003, and every supported version of Exchange Server since 5.0. This bulletin corrected a problem in processing COM structured storage files, and how they handled OLE (Object Linking and Embedding) input.

Internet Explorer hardly ever goes untouched in a monthly roll-out of patches, and February was no exception. MS05-014, fixed four IE flaws, including a drag-and-drop bug that hackers and phishers have already exploited to plant malicious code and spyware on users' PCs.

But Murray kept coming back to the SMB vulnerability as the big daddy of February.

"Every machine that has ports 139 and 445 open is at risk, and those ports are open on every standard Window box," he said. "Every Windows box is vulnerable."

Although nCircle had only begun its analysis by mid-afternoon Tuesday EST and had not yet determined how easy or difficult it would be to write an exploit for this, Murray noted that SMB is one of the best documented protocols. "SMB is pretty well known by everybody," he said.

His advice? Patch fast.

"I think someone will break [this vulnerability] in the next couple of days, and we'll see a wormable exploit within a week."

Tuesday's patches can be obtained through the usual channels: the Windows Update and Office Update services, or direct download from the Microsoft Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll