Wednesday, 13 August 2008 05:37

Patch frenzy erupts after August Patch Tuesday

With 26 vulnerabilities covered, August's Patch Tuesday was a biggie! Microsoft issued 11 bulletins, but 12 were expected. What has Microsoft applied the band-aids to, and what is yet to be patched?

Patch Tuesday was a ritual Microsoft once thought it could abolish for Windows Vista, if not for its entire product line. But 26 patched vulnerabilities – including one in Vista itself - shows that was a forlorn a hope, and how much work Microsoft has to keep putting in to  ensure its products are as safe as possible.

Before we get into all the detail of what was patched and why, here's what wasn't: a critical flaw in Windows Media Player.

There's no indication from Microsoft's Security Response Center (MSRC) about when that update will be issued, but if it really is as critical as its rating suggests, there's a possibility of its release before September's Patch Tuesday.

MSRC release manager Tami Gallupe gave no clues as to the nature of the underlying problem or progress on the fix, referring only to "a last minute quality issue".

So what has been fixed in Windows?

A patch for the Windows Image Color Management System is rated critical. It allows remote code execution if a user can be persuaded to open a maliciously crafted image. Since that includes images within web pages and emails, it needn't be a particularly difficult task when victims are unwary.

Internet Explorer patches and more on page two.

The Color Management vulnerability involves a heap overflow, but the good news is that a successful exploit only gains the same rights as the current user - which is one of the reasons why security experts recommend that administrative accounts are used as little as possible.

Windows 2000, XP and Server 2003 are affected by this flaw.

The Internet Explorer bulletin is rated critical for IE5, 6 and 7. One of the six vulnerabilities was disclosed publicly, but at the time of releasing the bulletins Microsoft was unaware of any proof of concept code or attacks involving any of them.

FIve of the flaws can be exploited by maliciously crafted web pages that cause IE to access uninitialised memory. The sixth takes advantage of incorrect validation of print preview parameters.

A successful exploit of any allows the execution of remote code, but only with the user's rights.

Microsoft has warned that these each of these vulnerabilities could be exploited by user-generated content or advertisements on web pages.

The critical vulnerability in the ActiveX control for the Microsoft Access Snapshot Viewer is of particular concern as it has been publicly disclosed and is being exploited. Attackers have even taken to using drive-by downloads to install the control on systems visiting malicious or compromised web sites so the flaw can be exploited.

Microsoft suggests setting a kill bit in the registry to prevent the old and insecure version from running even if it is introduced to a system.

More on this month's Office updates on page three.

While an updated version of the standalone Snapshot Viewer has yet to be released, updates are available for Access 2000, 2002 and 2003. Access 2007 is not affected by the issue.

Snapshot Viewer allows the display of Access report snapshots on systems that do not have Access installed. The ActiveX control provides similar functionality for reports embedded in web pages.

There are three more critical bulletins affecting Office components.

Excel 2000, XP, 2003, 2004, 2007 and 2008, along with the corresponding viewers and SharePoint Server 2007 are affected by four issues. The bulletin is rated critical for Office 2000, and important for the remaining versions.

Maliciously crafted files can trigger various flaws, resulting in remote code execution. This could allow the creation of user accounts with full user rights.

An interesting issue affecting Excel 2007 is said to be the first vulnerability involving the Open XML file format. The problem is that if a user connects Excel to a remote data source, the password used for the connection is saved in the file regardless of whether or not the user says that should be done.

Since Open XML files are actually ZIP files with a different extension and the password is stored in plain text within an XML file within the archive, it is easy to find details of the connection including the password.

Office woes (and more!) continue on page four.

Three PowerPoint vulnerabilities are spread across Office 2000, XP, 2003, 2004, 2007 and the associated viewers. The bulletin is rated critical for Office 2000, and important for the other software.

All three vulnerabilities allow maliciously crafted files to trigger remote code execution with the same rights as the user.

The final Office bulletin covers the EPS, PICT, BMP and WPG file filters for Office 2000, XP and 2003, as well as Project 2002, Works 8 and the Office Converter Pack. Again, they are classified as critical for Office 2000, and important for the other software.

The vulnerabilities can be exploited with maliciously crafted files if a user can be persuaded to import them into an Office document or to open or import a document containing a malformed image.
Microsoft says it is unaware of any public exploits or proofs of concept
for any of the Office-related issues. Possible attack vectors include sending malicious documents with interesting names as spam attachments in the hope that recipients will be tempted to open them.

Now, on to the important vulnerabilities, starting with those for Windows itself.

Microsoft's latest and greatest operating systems - Vista and Server 2008 - are affected by an embarrassing bug that can result in supposedly encrypted IPsec network traffic being transmitted in plain text and therefore open to sniffing.

Data collected from such packets could be of immediate interest to an eavesdropper, or might reveal information that could help attempts to compromise the system.

The update ensures IPsec rules are correctly processed.

Fixes for more Windows flaws on page five.

A pair of flaws in the Windows event system could be exploited to execute remote code and take full control of a system running Windows 2000, XP, Vista, Server 2003 or Server 2008.

While an attacker requires logon credentials, it sounds like it may be possible to use these flaws to gain full privileges.

The bulletin for Outlook Express and Windows Mail covers a situation where a maliciously crafted web page opened with Internet Explorer could result in information disclosure due to the way IE hands-off MHTML URLs to Outlook Express or Mail.

The issue is rated important on Windows 2000, XP and Vista, but only low on Server 2003 and 2008 - presumably because people are less likely to be using a Server account for web browsing.

Messenger too is affected by an information disclosure issue, one that can allow an attacker to capture a user's Messenger credentials and therefore impersonate that user. Once again, an ActiveX control is the source of the vulnerability.

The patch for Windows Messenger 4.7 and 5.1 works by setting up a whitelist of applications that can access the ActiveX control. This approach was necessary as simply setting a kill bit for the control adversely affected Windows' Remote Assistance application.

The issue is classified as important on Windows 2000 and XP, and moderate on Server 2003. Vista and Server 2008 are not affected.

You can relax now, It's downhill from here! The final page of the story outlines another Office flaw, along with the non-security updates for the month.

And finally, another Office-related bulletin. A maliciously crafted Word file can trigger remote code execution when opened in Word 2002 or 2003. Other versions including the various viewers and compatibility packs are not affected by this issue, which is rated important.

This vulnerability, which only delivers the same rights as the current user, is being exploited.

The Malicious Software Removal Tool and the Windows Mail Junk E-mail Filter have also been updated.

Non-security updates for the month include the release of Windows Home Server Power Pack 1; a daylight savings update for XP, Vista, and Server 2003 and 2008; a compatibility update for Saming OneKey recovery software for XP, Vista and Server 2008; an MDAC update for XP, Vista and Server 2008; and an update for Windows Server Update Services 3 SP1.

Microsoft has also updated the detections for some earlier updates so they are offered to systems that have installed certain service packs prior to installing those updates.

Most of us will simply allow Windows Update to do its thing and install the patches relevant to our systems, but administrators will have their work cut out checking so many updates for compatibility with their organisations' standard operating environments.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News