Microsoft Patches 18 Vulnerabilities; Exchange Bug Dubbed Worst

"This isn't the worst month of the year so far," said Mike Murray, the director of research at vulnerability management vendor nCircle, even though the vulnerability/patch count is two more than the 2005 record. "I think February was worse. From what I see so far, this month's vulnerabilities aren't as 'wormable' as February's. There's certainly no potential for MSBlast or Sasser here.

"But Microsoft is still behind what's been publicly disclosed," Murray added as he noted that several vulnerabilities, including one made public Tuesday by Danish security firm Secunia, remain unfixed. The Secunia alert warned that a malformed .mdb file -- those used by Microsoft's Access database -- could be used by hackers to hijack desktops or servers.

Of the eight bulletins posted Tuesday, the one that Murray recommended enterprises turn to -- and patch -- first, was MS05-021, a bulletin tagged "Critical" that affects Microsoft Exchange 2000 and Exchange 2003 Server (including the latter when upgraded to SP1). The vulnerability, which has to do with how Exchange handles SMTP "extended verbs," is actually only Critical for Exchange 2000; Exchange 2003's default security provides additional protection, letting Microsoft drop the ranking to just "Moderate."

"I don't see this as a big worm threat, but any exploit of an organization's mail servers can be disastrous," Murray said.

Four of the remaining bulletins involve Windows, while a fifth affected both Windows and Internet Explorer.

The one critical Windows bulletin impacted Windows 2000 (SP3 and SP4), Windows XP (including SP2), and Windows Server 2003, and patches five IP and TCP vulnerabilities, including one that could be used by attackers to grab control of the PC. Fortunately for those who have updated Windows XP, that IP address flaw doesn't apply to Windows XP SP2. The other four tackled in MS05-019 could be leveraged for various types of denial of service attacks on Windows machines.

As has become the norm, the batch of bulletins included one targeting Internet Explorer. MS05-020, which is an update to a February bulletin, patches three new vulnerabilities in IE 5.01, 5.5, and 6.0, the latter including the supposedly more secure version in Windows XP SP2. This bulletin, tagged as Critical in Microsoft's four-step assessment, patches bugs in how IE handles Dynamic HTML (DHTML) objects, how it parses URLs, and how it deals with certain Content Advisor content.

"Unfortunately, the three new vulnerabilities in IE are not really the big public ones," said Murray, referring to publicly-disclosed vulnerabilities in Microsoft's browser that remain unpatched.

The other three Windows operating system bulletins -- MS05-016, MS05-017, and MS05-018 -- patch 1, 1, and 4 vulnerabilities, respectively, and were ranked as Important, Moderate, and Important by Microsoft. Both the first and last affect Windows XP 2, so even those users should patch "at the earliest opportunity," said Microsoft in the bulletins.

As in February, Microsoft also published critical patches for Microsoft Office and MSN Messenger. Two bulletins dealt with bugs in Word and in Microsoft's MSN Messenger 6.2.

MS05-022 takes care of a loose screw in the latter, which stumbles when asked to process an improperly-sized GIF image or emoticon. Hackers could send such images via IM, and snatch control of the PC, said Microsoft.

One advantage for early adopters is that the just released v. 7.0 of Messenger is immune to the flaw. (Oddly enough, however, users of the beta version of MSN Messenger 7.0 are at risk, and should upgrade as soon as possible.)

Office's Word -- the 2000, 20002, and 2003 versions -- can be exploited by getting users to open a specially-crafted document, most likely by sending them attachments via e-mail. A successful attack would let the hacker gain full control of the machine. The newest version of Word found in Office 2003 is slightly less at risk than Word 2000 and 2002.

Tuesday's patches can be obtained through the usual channels: the Windows Update and Office Update services, or directly downloaded from the Microsoft Web site.

Microsoft is beta testing a new service, dubbed Microsoft Update, that will keep users current with security patches and other updates for not only Windows, but also Office and Exchange. Microsoft Update, however, won't debut until mid-year, Microsoft has said.

To add to Tuesday's workload for IT administrators and staff, it was also the expiration date for Microsoft's Windows XP SP2 blocking tools.

"I would hope that IT staffs are prepared for today's SP2," said Murray. "But if they're not, it's going to be a long day, dealing both with SP2 and patching all the vulnerabilities Microsoft's released."