More Fixes From Microsoft

It issued patches for vulnerabilities in Internet Explorer, Windows, FrontPage, and Office, with three of the five flaws rated as "critical," its highest-ranking assessment.
Microsoft has issued patches for vulnerabilities in Internet Explorer, Windows, FrontPage, and Office in the second of its now-monthly rollouts of fixes.

Of the five flaws, Microsoft rated three as "critical," its highest-ranking threat assessment. Several let attackers remotely execute code on compromised machines.

In addition, exploit code and proof-of-concept code--which is typically used to build exploits--are circulating on the Internet for all three critical vulnerabilities, according to security firms such as Symantec, which has released alerts to users of its global DeepSight threat-assessment network.

"Yes, there are known exploits," confirmed Mark Miller, the manager of Microsoft's security-response team. "We've seen several posted on public Web sites and we're investigating them."

Last month, Microsoft switched from a weekly vulnerability- and patch-release schedule--it was debuting them on Wednesdays--to a new schedule starting the first Tuesday of every month.

Although some analysts have tagged the move as a public-relations ploy in response to criticism from users that patches were coming too fast and furious for them to install, Microsoft defended the practice on Wednesday, saying its customers demanded the change.

Debbie Fry Wilson, director of Microsoft's security business unit, also touted her company's overall security efforts, claiming that Microsoft was making progress in plugging holes.

"We continue to see benefits from our Trustworthy Computing initiative," she said. "The Office security bulletin doesn't impact Office 2003, and the others do not apply to Windows Server 2003 or are mitigated by its default settings." She noted that both recently released products were developed under the vendor's strategy to create more secure software.

Internet Explorer, which was plagued with a slew of unpatched vulnerabilities last week, was the hardest hit. The Web browser contains five flaws, three of which are related to its cross-domain security model, which keeps windows of different domains from sharing information.

If attackers can entice users to a specially crafted Web site or view a malicious HTML-based E-mail, they can exploit the vulnerability in the My Computers security zone with an executing script This could then let the attackers gain control of the machine, access files, and insert other code, such as a Trojan horse.

Another vulnerability within Internet Explorer 5.01 through 6.0 is due to the way the browser passes zone data to XML objects. Like the others, attackers can exploit this via Web sites and HTML mail, although the user would also have to download an HTML file before the hacker could access files on the machine. The fifth and final flaw is in the drag-and-drop mechanism within Internet Explorer, which, if exploited, could let an attacker save a file--perhaps malicious code, such as a Trojan--on the compromised system.

Windows XP and 2000 suffer from a separate buffer-overflow vulnerability--which, like the IE problems, is ranked as "critical"--in the Workstation service. Unpatched, the flaw lets attackers to execute code remotely on PCs running those operating systems. In lieu of patching, Microsoft recommended that business users block a number of ports at the firewall, including UDP ports 138, 139, and 445, and TCP ports 138, 139, and 445.

Windows XP users who applied the patch issued on Oct. 15--tagged as MS03-043 by Microsoft--are already protected against this vulnerability, said Microsoft; however, Windows 2000 users are not and must install this newest fix, said Miller.

The third critical vulnerability relates to FrontPage Server Extensions--a component of Windows 2000, Windows XP, and Office XP--which is also open to buffer overflow attacks as well as denial-of-service assaults. In a worst-case scenario, hackers could execute code remotely on machines connecting to a server, or cause a server running the Extensions to stop responding to requests from client systems.

A pair of less-than-critical fixes were also among the month's bag of patches. Older editions of Office's Word and Excel--from the Office 97 editions through Office XP's--are vulnerable to exploits delivered through macros, a tactic once widely used by attackers but one that has since fallen out of favor. Maliciously crafted Excel or Word documents, if opened by a user, could give the attacker complete control of the PC and wreak damage by deleting files or even reformatting the hard drive. Microsoft ranked this flaw as "important," the second-highest rating in its four-level assessment system.

Finally, Microsoft issued an "important" security bulletin, and updated patch, for Windows 2000.

On Wednesday, during a Webcast outlining the new vulnerabilities, Microsoft also announced new security tools and services on its TechNet Web site. IT administrators now can search on the severity of patches--to ferret out only those ranked "critical," for instance--and access a new sub-site called IT Pro Security Zone, where they can access security newsgroups and tap experts among Microsoft's Most Valuable Professionals for answers to security-related questions.

Wilson also promised a more secure Windows XP next year, when Microsoft releases the second Service Pack for the operating system. "Windows XP SP2 will include features that will make the platform more secure by default, and hopefully mitigate some vulnerabilities," she said.

Among the tactics that Microsoft will take in Service Pack 2 are the by-default disabling of Windows Messenger Service and a by-default enabling of the personal firewall that ships with the operating system. Microsoft has not set a definite release date for the service pack, saying only that it would appear during the first half of next year.

The patches for the newly announced vulnerabilities can be downloaded from Microsoft's Security & Privacy page, or retrieved using the Microsoft WindowsUpdate and services.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer