Thanks to Information Week for this info on some really nasty Windows holes that need to be patched now.
Microsoft on Tuesday published 12 security bulletins for Windows and Office that patched 23 vulnerabilities, 16 of which the Redmond, Wash. developer tagged as “critical.” Both the number of bugs disclosed and the tally of critical fixes broke previous records.
Ten of the updates addressed flaws in Windows, while 2 affected Microsoft Office or one of its bundled applications. According to security analysts, several of the bulletins patch vulnerabilities that are already being exploited in the wild, including one used to attack the PowerPoint presentation maker just days after July’s security updates were revealed.
Security analysts immediately pegged MS06-040 bulletin as the fix to apply first.
In an alert to customers of its DeepSight threat system, Cupertino, Calif.-based Symantec noted that MS06-040, which fixes a flaw in Windows’ Server service, should be patched pronto. “At least one exploit for the issue has already been developed, and as such may be released soon,” Symantec stated. “The issues can be exploited by an anonymous user against Windows XP SP2 to execute arbitrary code, making it a prime candidate for a worm.”
Mike Murray, director of research at vulnerability management vendor nCircle, was even more adamant about MS06-040’s potential. “We’ve seen these kinds of service vulnerabilities before, and for one reason or another, [worms] haven’t turned up,” said Murray. “But all is lined up for this to be a big one.”
The bug, which affects all currently supported versions of Windows, including fully-patched Windows XP SP2 and Windows Server 2003 SP1, is similar, but not identical to the 2003 RPC vulnerability that led to the MSBlast worm.
“We won’t know for about 24 hours exactly how dangerous this is, but it could end up presenting a major problem,” Murray said. “It looks like Windows’ authentication isn’t needed, so an anonymous user could launch from outside the network.”
Symantec also reminded users that a similar bug was responsible for one of the biggest worm attacks ever. “The vulnerable service is the same used by the Blaster worm in past years,” the alert read. Nine of the dozen bulletins were labeled as critical, Microsoft’s most dire rating. Among them were several that plugged various holes in Web-rated components of Windows. Internet Explorer, Microsoft’s browser, accounted for more than a third of the total bugs (8 out of 23), and 5 of the critical 16 in MS06-042. Even the most secure version of the browser, IE 6 for Windows XP SP2, was hit with 3 critical fixes.
“Just like always, we’re seeing all this Web stuff,” said Murray. “We’re back to the monthly IE vulnerabilities fix.”
According to Symantec, 3 of the 8 bugs in IE had been disclosed before Tuesday, 4 let attackers introduce their own code to a compromised system, and 3 can be exploited to gain access through lower IE security settings.
Chris Andrew, vice president of security technologies at PatchLink, took a different tack than his rival Murray and touted the browser bugs as those to fix first. “The importance of the browser should mean getting it patched ASAP,” said Andrew.
But he also pointed out that other fixes marked “critical” shouldn’t be ignored. “None of them are really ‘wait til later,”” he said.
While Windows got the most attention, Microsoft Office was the subject of two bulletins and three vulnerability fixes. PowerPoint was patched by MS06-048, while a critical bug in Visual Basic was plugged by MS06-047. The latter, said Microsoft, could be exploited by crafting a malicious document that supports Visual Basic scripting. Word, Excel, and PowerPoint users are at risk. On the plus side, said Symantec, up-to-date versions of Office 2003 (SP1 and SP2) are immune. As with some Office fixes released in June and July, the PowerPoint bulletin also affects Mac users of Office X and Office 2004. Mac patches can be downloaded from Microsoft’s Mac-specific site.
August’s count of 12 bulletins and 23 patches brought the three-month vulnerability count to a whopping 63, and the bulletin tally to 31, totals that easily broke previous records.
“It’s been quite a summer,” said Murray, who saw the numbers as a good thing.
“More important than anything else, I think this shows that Microsoft is being more transparent,” Murray argued. “In the past, Microsoft would release a couple of bulletins but then patch a bunch of other stuff on the back end without telling us.
“Now they’re a lot more transparent. They’re showing us everything there is to show.”
PatchLink’s Andrew saw a different rationale for the glut. “The rate of [vulnerability] discovery is outstripping the rate of patching,” Andrew said as he noted that security researchers — both black hat and white hat — are increasingly turning to automated tools to help them dig up bugs.
“That results in a backlog of vulnerabilities that need to be fixed,” Andrew said.
Users can obtain the month’s patches via Windows’ Automatic Update, from the Microsoft Update service, or through other software and services the company offers, including Windows Server Update Services (WSUS) and Software Update Services (SUS).