Microsoft Patches 12 Vulnerabilities, New SMB Bug "Definitely Serious"

Three of the 12 vulnerabilities were marked as "Critical," Microsoft's most urgent alert level in its four-step warning system. All three affect OS components or flaws in Internet Explorer that have been patched multiple times in the past.

Bulletins marked as MS05-025, 026, and 027, are the three with Critical vulnerabilities, said Microsoft, and affect Internet Explorer; the HTML help system in Windows 2000, XP, and Server 2003; and the Server Message Block (SMB) protocol in Windows 2000, XP, and Server 2003.

"All three of these services have been patched in the past," said Mike Murray, the director of research at vulnerability management vendor nCircle. "In fact, one of the IE vulnerabilities, the XML redirection vulnerability, is just a new variant of an older vulnerability."

Murray rejected the idea that the patch-repatch-patch-again process proves that Microsoft has a quality control problem. Instead, he laid the blame at the feet of smart vulnerability researchers and hackers. "There are some clever people figuring out previous patches, and then saying 'if I did X and Y, I could get around that patch,'" said Murray.

Microsoft security program manager Stephen Toulouse naturally agreed. "It's more a matter of the focus that researchers bring to it [that decides which vulnerabilities get found,] he said. "One of the things that we do when we receive a report from a researcher is actually do code reviews to see, for instance, how the affected code interoperates. In these cases, the vulnerabilities were just different enough [from prior vulnerabilities] that they weren't caught in those earlier code reviews."

The vulnerability with the potential to wreak the most havoc, said Murray and others, is MS05-027, the flaw in SMB, the protocol that Windows uses to share files, printers, and serial ports, and to communicate between computers. Similar to, but not a repeat of a bulletin released in February, 027 has the potential for being exploited by a worm on the order of, say, MSBlast, said Murray.

"If you read the bulletin, it doesn't say anything about authentication," said Murray. "In other words, does an attacker need to have a valid log-in username and password? If not, and it doesn't require authentication, that means anyone can break into the box."

Toulouse of Microsoft confirmed that the SMB vulnerability didn't require authentication, but stressed that the most likely result of an attack would be a less-dangerous denial-of-service. "Even so, we erring on the side of caution, and rating this as Critical because of the theoretical potential."

nCircle's Murray took the word "theoretical" with a grain of salt. "If there's a way to exploit a vulnerability, hackers will do it," he said.

"This is definitely serious. It's the only vulnerability of the bunch that could be exploited by a large-scale network worm," Murray said. But he also hedged his bets, perhaps because a similar call in February was quickly proved wrong after additional analysis. "We'll know more in the next six hours or so, as we examine the vulnerability."

Other analysts also tagged MS05-027 as the one to watch. Neel Mehta, a team leader with Internet Security Systems' X-Force security research group, named it as his number 1 threat "because of its scope and the fact that user authentication's not required, nor user interaction." Writing an exploit for the SMB bug won't be easy -- Mehta called it "fairly challenging" -- but he said it wouldn't be long, perhaps within the week, that an exploit appeared. "It's actually more potentially dangerous than the February vulnerability in SMB," he added. "We're going to be tracking this carefully."

Windows XP SP2 users who have left the by-default-enabled Windows Firewall in place are protected to some extent, said several of the researchers interviewed, since it automatically blocks the external ports used by the SMB service. "But if someone has disabled the firewall, or has turned file sharing on," Mehta explained, "they could be hit."

It was the other two Critical bulletins -- one that fixes flaws in how IE processes PNG (Portable Network Graphics) image files, another in Windows' HTML Help -- that got the attention of another researcher, Alfred Huger, vice president of engineering for Symantec's security response team.

"I think 025 and 026 are the ones I found the most alarming," said Huger. "Both the PNG and HTML vulnerabilities are dangerous because they can affect so many end targets. Essentially, anyone with IE that's unpatched is at risk. And we've seen how fast phishers and rogue Web sites are in picking up on graphics vulnerabilities." Like Mehta, Huger expects to see vulnerabilities soon. "There will be exploits within the week," he said, of the PNG bug.

The remaining seven bulletins, which detail and patch four vulnerabilities marked as "Important" and four labeled "Moderate," cover a variety of Windows components or Microsoft applications, ranging from Outlook Web Access on the aging Exchange Server 5.5 to Microsoft Internet Security and Acceleration (ISA) Server 2000.

Patches can be downloaded using the new Microsoft Update service or for enterprises, the just-released Windows Server Update Services.

Those services, said Microsoft's Toulouse, were "working just fine" Tuesday in their debut.