Microsoft Issues More Desktop Patches

Of the five flaws, Microsoft rated three as "critical," the highest ranking of the Redmond, Wa.-based developer's threat assessments. Several allow attackers to remotely execute code on compromised machines.

In addition, exploit code and proof-of-concept code - the latter code is typically used to build exploits - are circulating on the Internet for all three critical vulnerabilities, according to security firms such as Symantec, which has released alerts to users of its global DeepSight threat-assessment network.

"Yes, there are known exploits," confirmed Mark Miller, the manager of Microsoft's security- response team. "We've seen several posted on public Web sites and we're investigating them."

Last month, Microsoft switched from a weekly vulnerability - and patch-release schedule - it was debuting them on Wednesdays--to a new schedule starting the first Tuesday of every month.

Although some analysts have tagged the move as a public-relations ploy--in response to criticism from users that patches were coming too fast and furious for them to install - Microsoft defended the practice on Wednesday, saying its customers demanded the change.

Debbie Fry Wilson, the director of Microsoft's security business unit, also touted her company's overall security efforts, claiming that Microsoft was making progress in plugging holes.

"We continue to see benefits from our Trustworthy Computing initiative," she said. "The Office security bulletin doesn't impact Office 2003, and the others do not apply to Windows Server 2003, or are mitigated by its default settings," she added, noting that both recently released products were developed under the vendor's strategy to create more secure software.

Internet Explorer, which was plagued with a slew of unpatched vulnerabilities last week, was the hardest hit of the Microsoft products. The popular Web browser contains five flaws, three of which are related to its cross-domain security model, which keeps windows of different domains from sharing information.

If attackers can entice users to a specially crafted Web site or view a malicious HTML-based e-mail, they can exploit the vulnerability in the My Computers security zone with an executing script This could then allow the attackers to gain control of the machine, access files, and insert other code, such as a Trojan horse.

Another vulnerability within IE 5.01 through 6.0 is due to the way the browser passes zone data to XML objects. Like the others, attackers can exploit this via Web sites and HTML mail, although the user would also have to download an HTML file before the hacker could access files on the machine. The fifth, and final, flaw is in the drag-and-drop mechanism within IE, which, if exploited, could allow an attacker to save a file--perhaps malicious code, such as a Trojan--on the compromised system.

Windows XP and 2000 suffer from a separate buffer-overflow vulnerability--like the IE problems, ranked as "critical" - in the Workstation service. Unpatched, the flaw allows attackers to execute code remotely on PCs running those OSes. In lieu of patching, Microsoft recommended that enterprises block a number of ports at the firewall, including UDP ports 138, 139, and 445, and TCP ports 138, 139, and 445.

Windows XP users who applied the patch issued on October 15--tagged as MS03-043 by Microsoft - are already protected against this vulnerability, said Microsoft, but Windows 2000 users are not, and must install this newest fix, said Miller.

The third critical vulnerability relates to FrontPage Server Extensions--a component of Windows 2000, Windows XP, and Office XP--which is also open to buffer overflow attacks as well as denial-of-service (DoS) assaults. In a worst-case scenario, hackers could execute code remotely on machines connecting to a server, or cause a server running the Extensions to stop responding to requests from client systems.

A pair of less-than-critical fixes were also among the month's bag of patches. Older editions of Office's Word and Excel--from the Office 97 editions through Office XP's - are vulnerable to exploits delivered through macros, a tactic once widely used by attackers but one that has since fallen out of favor. Maliciously crafted Excel or Word documents, if opened by a user, could give the attacker complete control of the PC, and wreck damage by deleting files or even reformatting the hard drive. Microsoft ranked this flaw as "important," the second-highest rating in its four-level assessment system. (See related story.)

Finally, Microsoft issued an "important" security bulletin, and updated patch, for Windows 2000.

On Wednesday, during a Webcast outlining the new vulnerabilities, Microsoft also announced new security tools and services on its TechNet Web site. IT administrators can now search on the severity of patches--to ferret out only those ranked "critical," for instance--and access a new sub-site called IT Pro Security Zone, where they can access security newsgroups and tap experts among Microsoft's Most Valuable Professionals (MVPs) for answers to security-related questions.

Wilson also promised a more secure Windows XP next year, when Microsoft releases the second Service Pack for the operating system. "Windows XP SP2 will include features that will make the platform more secure by default, and hopefully mitigate some vulnerabilities," she said.

Among the tactics that Microsoft will take in Windows XP SP2 are the by-default disabling of Windows Messenger Service and a by-default enabling of the personal firewall that ships with the OS.

Microsoft has not set a definite release date for SP2, saying only that it would appear during the first half of 2004.

The patches for the newly announced vulnerabilities can be downloaded from Microsoft's Security & Privacy page, or retrieved using the Microsoft WindowsUpdate and OfficeUpdate services.

This story courtesy of TechWeb.