Microsoft Fesses Up To 19 Vulnerabilities, MSBlast-Level Worm Likely

Among them is a vulnerability that will likely lead to the biggest, baddest worm since mid-2003, said Mike Murray, the director of research at vulnerability management vendor nCircle.

"There's a clear 'winner' here," said Murray. " MS05-011 fixes a vulnerability in SMB [Server Message Block], which is running on every version of Microsoft's operating systems that a corporation might be using. And it's exploitable remotely, so it doesn't rely on an e-mail or getting someone to a Web site. All the attacker has to do is send a properly-formatted packet and he'll break in.

"It's been a while since we've seen a vulnerability this widespread. This could easily lead to the biggest exploit in over a year," said Murray. "I'd put this in the same class as the vulnerability that led to [2003's] MSBlast. It's serious."

SMB is the standard protocol that Windows uses to share files, printers, and serial ports, and to communicate between computers, particularly between servers and client desktops. A specially-crafted SMB packet sent to a vulnerable PC could, said Microsoft, let an attacker "take complete control of the affected system."

The extent of February's regularly-scheduled patch release was expected, but still difficult to digest at first glance.

Nine of the bulletins impacted various versions of Windows to one extent or another, one each dealt with .Net Framework, SharePoint Services, Windows Media Player/MSN Messenger, and the perennial visitor to the patch process, Internet Explorer. Two revolved around Microsoft Office. (Some of those affecting Windows also affected other components, such as Office or SharePoint, the reason for the count difference.) More than half the bulletins tapped Windows XP Service Pack 2 (SP2) as vulnerable. SP2, Microsoft's massive security update that debuted in October, 2004, was then touted by the Redmond, Wash.-based developer as its biggest security-centric upgrade ever.

The eight bulletins and 10 vulnerabilities marked Critical could all be used by attackers to execute code remotely -- usually only after the user did something, such as visit a malicious Web site or click on a link within an e-mail -- or create a buffer overflow that could then be used to gain control of a machine.

Some of the fixes were more or less expected, said Murray, who noted that they corrected known, if not actually exploited, bugs. fit MS05-009, fit that bill, for it patched three vulnerabilities in Windows Media Player 9 and various versions of Microsoft's instant messenger against image-based exploits using PNG-formatted files. Another vulnerability in Media Player 10 and its implementation of digital rights management technologies, however, was not fixed in this month's round of patches.

MS05-012, on the other hand, affected an astonishing array -- 33 by our count -- of Microsoft's operating systems and applications, ranging from Windows XP SP2 to Office XP and Office 2003, and every supported version of Exchange Server since 5.0. This bulletin corrected a problem in processing COM structured storage files, and how they handled OLE (Object Linking and Embedding) input.

Internet Explorer hardly ever goes untouched in a monthly roll-out of patches, and February was no exception. MS05-014, fixed four IE flaws, including a drag-and-drop bug that hackers and phishers have already exploited to plant malicious code and spyware on users' PCs.

But Murray kept coming back to the SMB vulnerability as the big daddy of February.

"Every machine that has ports 139 and 445 open is at risk, and those ports are open on every standard Window box," he said. "Every Windows box is vulnerable."

Although nCircle had only begun its analysis by mid-afternoon Tuesday EST and had not yet determined how easy or difficult it would be to write an exploit for this, Murray noted that SMB is one of the best documented protocols. "SMB is pretty well known by everybody," he said.

His advice? Patch fast.

"I think someone will break [this vulnerability] in the next couple of days, and we'll see a wormable exploit within a week."

Tuesday's patches can be obtained through the usual channels: the Windows Update and Office Update services, or direct download from the Microsoft Web site.