Microsoft Issues Critical Security Bulletins, Says Exploits Already Exist

The July list of vulnerabilities and patches may be a fraction of June's even dozen, but they're no less important to patch, said Mike Murray, the director of research at vulnerability management vendor nCircle.

"All three of these are worth patching, of course," said Murray, "because even for the one where an exploit isn't yet public, one probably will be."

But with the next breath, Murray noted that all three -- and virtually all of the year's vulnerabilities out of Microsoft -- are bugs on the client side, and require some kind of help from the user for an attacker to exploit them.

"I don't necessarily agree with Microsoft that Windows XP SP2 is the reason [for better security]," said Murray. "I think it's because Microsoft's code is maturing, especially its Web server code. We haven't seen a Web server vulnerability in, what, the last two years?"

The new SQL Server 2005, now slated for an early November release, will be the real test of Microsoft's security investments, Murray said. If that software proves secure, it will accelerate the enterprise trend of looking beyond the firewall for defense.

"Client-side vulnerabilities like we're seeing here shift the onus from focusing on the firewall to making sure you patch all vulnerabilities so the exploit window is short, and educating your users on best practices," argued Murray.

For two of this month's three bulletins, the exploit window is already open: active exploits are circulating for both the critical vulnerabilities in Windows.

One is MS05-036, which involves the Microsoft Color Management Module, a part of the operating system that provides consistent color mappings between different devices and applications. According to Microsoft, the module's method of handling color profiles is flawed, and could be used by a hacker to produce a buffer overflow, then gain control of the PC remotely.

A malicious image file specially created by the attacker could, for instance, be planted on a Web site or sent to a potential victim by e-mail. Once the vulnerability 's exploited, the attacker could then hijack the computer to install his own code -- a backdoor Trojan, for instance -- or snatch data.

All currently-supported editions of Windows -- including Windows 2000, XP SP2, and Windows Server 2003 SP1 -- are vulnerable, said Microsoft, and should be patched immediately, in part because exploits already exist.

"This vulnerability isn't that new," said Murray. "An exploit for the color management bug has been in the underground for a while now." Nor is the second critical Windows bulletin, dubbed MS05-037, new. The vulnerability at the heart of that alert is the same as the one Microsoft noted July 1 in a Security Advisory, the company's new mechanism for warning users of bugs before patches are issued.

The "Javaprxy.dll" file, which is part of the Microsoft Java Virtual Machine, can be exploited to crash Internet Explorer and/or grab control of a compromised PC. Earlier, Microsoft issued a work-around that when downloaded and run, changed the registry to disable Javaprxy.dll. This bulletin does the same thing; the only difference is that it's pushed out via Auto Update and available using the Microsoft Update service.

"If you have applied the download available from the advisory update issued on July 5, 2005, you do not need to apply this security update," said Microsoft in the bulletin.

This is the first time that a Microsoft security advisory has been upgraded to a security bulletin, as well as the first time that a bulletin was used to automate the delivery of a work-around, rather than a true patch that fixed the root of the problem.

The third July bulletin, MS05-035, concerns two versions of Microsoft Word, Word 2000 and Word 2002, and according to one analyst, may be the most dangerous of the bunch.

"I see this one as the most serious," said Brian Grayek, the chief technology officer for network security vendor Preventsys. "People are more likely to update their anti-virus software than anything else. Then the operating system, sort of when they think about it. But hardly anyone updates their applications."

This leaves a hole though which hackers can drive their exploits, Grayek said, noting that automatic updates of Microsoft Office applications are both relatively recent and work only with the newest operating systems of Windows 2000, XP, and Server 2003.

Another contributor to a high ranking of the Word bug is the fact that an exploit would arrive as a .doc file, a format that's generally trusted since malware rarely poses, or hides inside, Word documents.

Also on Monday, Microsoft updated the anti-spam filter definition file for its Outlook e-mail client, and posted a new version of the Windows Malicious Software Removal Tool. The software now detects and destroys several additional worms and Trojans, including Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.fn).

July's fixes can be downloaded using the new Microsoft Update service, Windows Update, or for enterprises, the relatively new Windows Server Update Services.