Microsoft Patches 18 Vulnerabilities; Exchange Bug Dubbed Worst - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:08 PM

Microsoft Patches 18 Vulnerabilities; Exchange Bug Dubbed Worst

Microsoft on Tuesday rolled out eight security bulletins encompassing 18 vulnerabilities and their patches, seven of which the vendor dubbed "critical."

Microsoft on Tuesday rolled out eight security bulletins that encompassed 18 vulnerabilities and their patches, 7 of which the Redmond, Wash.-based vendor dubbed "Critical."

"This isn't the worst month of the year so far," said Mike Murray, the director of research at vulnerability management vendor nCircle, even though the vulnerability/patch count is two more than the 2005 record. "I think February was worse. From what I see so far, this month's vulnerabilities aren't as 'wormable' as February's. There's certainly no potential for MSBlast or Sasser here.

"But Microsoft is still behind what's been publicly disclosed," Murray added as he noted that several vulnerabilities, including one made public Tuesday by Danish security firm Secunia, remain unfixed. The Secunia alert warned that a malformed .mdb file -- those used by Microsoft's Access database -- could be used by hackers to hijack desktops or servers.

Of the eight bulletins posted Tuesday, the one that Murray recommended enterprises turn to -- and patch -- first, was MS05-021, a bulletin tagged "Critical" that affects Microsoft Exchange 2000 and Exchange 2003 Server (including the latter when upgraded to SP1). The vulnerability, which has to do with how Exchange handles SMTP "extended verbs," is actually only Critical for Exchange 2000; Exchange 2003's default security provides additional protection, letting Microsoft drop the ranking to just "Moderate."

"I don't see this as a big worm threat, but any exploit of an organization's mail servers can be disastrous," Murray said.

Four of the remaining bulletins involve Windows, while a fifth affected both Windows and Internet Explorer.

The one critical Windows bulletin impacted Windows 2000 (SP3 and SP4), Windows XP (including SP2), and Windows Server 2003, and patches five IP and TCP vulnerabilities, including one that could be used by attackers to grab control of the PC. Fortunately for those who have updated Windows XP, that IP address flaw doesn't apply to Windows XP SP2. The other four tackled in MS05-019 could be leveraged for various types of denial of service attacks on Windows machines.

As has become the norm, the batch of bulletins included one targeting Internet Explorer. MS05-020, which is an update to a February bulletin, patches three new vulnerabilities in IE 5.01, 5.5, and 6.0, the latter including the supposedly more secure version in Windows XP SP2. This bulletin, tagged as Critical in Microsoft's four-step assessment, patches bugs in how IE handles Dynamic HTML (DHTML) objects, how it parses URLs, and how it deals with certain Content Advisor content.

"Unfortunately, the three new vulnerabilities in IE are not really the big public ones," said Murray, referring to publicly-disclosed vulnerabilities in Microsoft's browser that remain unpatched.

The other three Windows operating system bulletins -- MS05-016, MS05-017, and MS05-018 -- patch 1, 1, and 4 vulnerabilities, respectively, and were ranked as Important, Moderate, and Important by Microsoft. Both the first and last affect Windows XP 2, so even those users should patch "at the earliest opportunity," said Microsoft in the bulletins.

As in February, Microsoft also published critical patches for Microsoft Office and MSN Messenger. Two bulletins dealt with bugs in Word and in Microsoft's MSN Messenger 6.2.

MS05-022 takes care of a loose screw in the latter, which stumbles when asked to process an improperly-sized GIF image or emoticon. Hackers could send such images via IM, and snatch control of the PC, said Microsoft.

One advantage for early adopters is that the just released v. 7.0 of Messenger is immune to the flaw. (Oddly enough, however, users of the beta version of MSN Messenger 7.0 are at risk, and should upgrade as soon as possible.)

Office's Word -- the 2000, 20002, and 2003 versions -- can be exploited by getting users to open a specially-crafted document, most likely by sending them attachments via e-mail. A successful attack would let the hacker gain full control of the machine. The newest version of Word found in Office 2003 is slightly less at risk than Word 2000 and 2002.

Tuesday's patches can be obtained through the usual channels: the Windows Update and Office Update services, or directly downloaded from the Microsoft Web site.

Microsoft is beta testing a new service, dubbed Microsoft Update, that will keep users current with security patches and other updates for not only Windows, but also Office and Exchange. Microsoft Update, however, won't debut until mid-year, Microsoft has said.

To add to Tuesday's workload for IT administrators and staff, it was also the expiration date for Microsoft's Windows XP SP2 blocking tools.

"I would hope that IT staffs are prepared for today's SP2," said Murray. "But if they're not, it's going to be a long day, dealing both with SP2 and patching all the vulnerabilities Microsoft's released."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll