Microsoft Security Patches Stanch Windows, Exchange Flaws

Two of the three bulletins were tagged as "critical," including MS06-019, which patches a flaw in Exchange Server, and MS06-020, which involved the third-party product, Adobe's Flash Player.

"This [the Flash flaw] is the one that will be most disruptive to the most users," said Chris Andrew, vice president of security technologies at patch and vulnerability management developer PatchLink.

Windows XP SP1, Windows XP SP2, Windows 98, and Windows Millennium are bundled with a vulnerable version of Flash, said Microsoft in its alert, and users should update their copies immediately.

According to Microsoft, the Flash Player can be exploited by attackers armed with specially-crafted .swf (Flash animation files) using one of two different bugs. Either vulnerability can be used by hackers, most likely via silent drive-by downloads off malicious Web sites, to hijack PCs. In Microsoft's Internet Explorer, which is typically where Flash animations are rendered, Flash is an ActiveX control.

"Third party vulnerabilities, when those third-party products are bundled with Windows, must be patched just as if they were Windows bugs," explained PatchLink's Andrew.

Last month, Adobe had warned users of the bugs, and told them to update Flash. For its part, Microsoft issued a security advisory at the same time recommending that users upgrade. Tuesday's bulletin formalizes the advice by pushing updates to Windows XP users via Windows Update, Microsoft Update, and other mechanisms from the Redmond, Wash.-based developer. However, Windows 98 and Millennium users were told in the bulletin to head to Adobe's Web site to update Flash themselves.

E-mail Flaw

The critical MS06-019 bulletin patches a flaw in Exchange Server 2000's and Exchange Server 2003's calendaring function. The vulnerability could let attackers grab control of mail server systems. End-user clients -- desktops running the Outlook e-mailer, for instance -- are not affected.

"This is the most serious of the three," argued Mike Murray, director of research at vulnerability management vendor nCircle, taking a different tack than Andrew. "Exchange is pretty widely adopted. The mitigating factor is that they're usually behind a firewall."The third bulletin, MS06-018, was relegated by Microsoft to "moderate" status, second in the company's four-step assessment scale, because it can't be used to actually grab a PC but is limited to a denial-of-service (DoS) situation where Windows can be made to crash.

Windows XP, Windows 2000, and Windows Server 2003 all must be patched to prevent a pair of bugs in the Microsoft Distributed Transaction Coordinator (MSDTC) from bringing the system to its knees.

Tuesday wasn't the first time MSDTC was patched. In October 2005, Microsoft fixed a different MSDTC flaw. Both that bug and the one in MS06-018 were discovered by eEye Digital Research investigators.

While Murray called Tuesday's roll-out "a pretty boring day" for patching, he had an unusual take on the fix for Adobe's Flash Player. "We can't get our heads around [MS06-020]. Maybe there's something going on behind the scenes, but since when has Microsoft patched third-party products? Is this a move to take more accountability of bundled, partnered products in Windows? If so, that would be huge, a phenomenal step for Microsoft, to essentially 'own' security at any level that touches the Microsoft OS."

The shift would be similar, said Murray, to Apple Computer Inc.'s practice of patching third-party applications bundled with its Mac OS X, such as the open-source Apache Web server software.

In November, 2005, Microsoft put out a bulletin similar to the one in March 2006, in which it recommended that users update Flash based on Adobe's own alert. But it didn't follow up the next month with a forced patch, as it did Tuesday. "If Microsoft wound up with that accountability, you'd see an incredible improvement in security," said Murray.

Microsoft did not immediately return a call for clarification on the Adobe Flash patch.

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).