Microsoft Issues Critical Security Bulletins, Says Exploits Already Exist - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:18 PM

Microsoft Issues Critical Security Bulletins, Says Exploits Already Exist

Microsoft releases a trio of security bulletins, all tagged as critical, two for Windows, the third for older editions of Microsoft Word.

Microsoft on Tuesday released a trio of security bulletins, all tagged as critical, two for Windows, the third for older editions of Microsoft Word.

The July list of vulnerabilities and patches may be a fraction of June's even dozen, but they're no less important to patch, said Mike Murray, the director of research at vulnerability management vendor nCircle.

"All three of these are worth patching, of course," said Murray, "because even for the one where an exploit isn't yet public, one probably will be."

But with the next breath, Murray noted that all three -- and virtually all of the year's vulnerabilities out of Microsoft -- are bugs on the client side, and require some kind of help from the user for an attacker to exploit them.

"I don't necessarily agree with Microsoft that Windows XP SP2 is the reason [for better security]," said Murray. "I think it's because Microsoft's code is maturing, especially its Web server code. We haven't seen a Web server vulnerability in, what, the last two years?"

The new SQL Server 2005, now slated for an early November release, will be the real test of Microsoft's security investments, Murray said. If that software proves secure, it will accelerate the enterprise trend of looking beyond the firewall for defense.

"Client-side vulnerabilities like we're seeing here shift the onus from focusing on the firewall to making sure you patch all vulnerabilities so the exploit window is short, and educating your users on best practices," argued Murray.

For two of this month's three bulletins, the exploit window is already open: active exploits are circulating for both the critical vulnerabilities in Windows.

One is MS05-036, which involves the Microsoft Color Management Module, a part of the operating system that provides consistent color mappings between different devices and applications. According to Microsoft, the module's method of handling color profiles is flawed, and could be used by a hacker to produce a buffer overflow, then gain control of the PC remotely.

A malicious image file specially created by the attacker could, for instance, be planted on a Web site or sent to a potential victim by e-mail. Once the vulnerability 's exploited, the attacker could then hijack the computer to install his own code -- a backdoor Trojan, for instance -- or snatch data.

All currently-supported editions of Windows -- including Windows 2000, XP SP2, and Windows Server 2003 SP1 -- are vulnerable, said Microsoft, and should be patched immediately, in part because exploits already exist.

"This vulnerability isn't that new," said Murray. "An exploit for the color management bug has been in the underground for a while now." Nor is the second critical Windows bulletin, dubbed MS05-037, new. The vulnerability at the heart of that alert is the same as the one Microsoft noted July 1 in a Security Advisory, the company's new mechanism for warning users of bugs before patches are issued.

The "Javaprxy.dll" file, which is part of the Microsoft Java Virtual Machine, can be exploited to crash Internet Explorer and/or grab control of a compromised PC. Earlier, Microsoft issued a work-around that when downloaded and run, changed the registry to disable Javaprxy.dll. This bulletin does the same thing; the only difference is that it's pushed out via Auto Update and available using the Microsoft Update service.

"If you have applied the download available from the advisory update issued on July 5, 2005, you do not need to apply this security update," said Microsoft in the bulletin.

This is the first time that a Microsoft security advisory has been upgraded to a security bulletin, as well as the first time that a bulletin was used to automate the delivery of a work-around, rather than a true patch that fixed the root of the problem.

The third July bulletin, MS05-035, concerns two versions of Microsoft Word, Word 2000 and Word 2002, and according to one analyst, may be the most dangerous of the bunch.

"I see this one as the most serious," said Brian Grayek, the chief technology officer for network security vendor Preventsys. "People are more likely to update their anti-virus software than anything else. Then the operating system, sort of when they think about it. But hardly anyone updates their applications."

This leaves a hole though which hackers can drive their exploits, Grayek said, noting that automatic updates of Microsoft Office applications are both relatively recent and work only with the newest operating systems of Windows 2000, XP, and Server 2003.

Another contributor to a high ranking of the Word bug is the fact that an exploit would arrive as a .doc file, a format that's generally trusted since malware rarely poses, or hides inside, Word documents.

Also on Monday, Microsoft updated the anti-spam filter definition file for its Outlook e-mail client, and posted a new version of the Windows Malicious Software Removal Tool. The software now detects and destroys several additional worms and Trojans, including Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.fn).

July's fixes can be downloaded using the new Microsoft Update service, Windows Update, or for enterprises, the relatively new Windows Server Update Services.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll