Microsoft patches nine bugs in Windows, IE, Word

Microsoft Corp. today released six security bulletins that patched nine vulnerabilities in Windows, Internet Explorer, Microsoft Word, Outlook Express and SharePoint. But for the second time in two months, it yanked an update at the last minute.

Four of the six updates were rated critical, Microsoft's highest threat warning, while the remaining two were judged important, the next-lowest notch in the company's four-step scoring system.

MS07-057, the critical update to IE, should be patched first, said Andrew Storms, director of security operations at nCircle Network Security Inc. "It's an update for every version of IE and for every supported version of Windows, so its impact is across the board," he said. Of the four vulnerabilities patched by the update, three are related to address-bar-spoofing, the practice of disguising the URL shown by a browser to trick users into thinking they're visiting a safe or legitimate site. Two of those three were publicly disclosed in February and July, the first by Polish researcher Michal Zalewski and Danish researcher Jakob Balle of Secunia, the second by Zalewski alone.

Although Microsoft said today that it had no information to indicate that any of the IE vulnerabilities, the address-spoofing bugs included, had been exploited, Storms said he wasn't so sure. "The address bar spoofs would be perfect for the quintessential phishing campaign," he said. Exploits that leverage the vulnerability, he explained, would mask the URLs of bogus sites with fake addresses of legitimate sites and they could trick even users who pay attention to what's in a browser's address bar when they head to important pages, such as those where they log into online banking accounts.

"Nobody can keep a secret like this for eight months, so one has to assume that the bug [disclosed in February] has been in use for some time," said Storms.

For the most part, however, today's updates were yawners for Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force. "There's nothing here that is a huge, huge concern," said Cross. "They're just not that different from the things security professionals see every day. But that's good news, isn't it?"

Microsoft also patched critical vulnerabilities in the following software products:

Outlook Express on Windows XP and 2000, and Windows Mail on Vista.

Microsoft Word 2000 and XP for Windows PCs and Word 2004 on the Mac.

All supported versions of Windows except Vista.

That third critical update, MS07-055, details a flaw in the Windows image viewer that parses Kodak formatted photos. The vulnerability resembles other image file bugs, such as the one in Windows Metafile that caused a ruckus in late 2005 and early 2006, but more important, it hints that attackers are still looking for such flaws. "The new vulnerability shows that there's an active research effort," said Storms, "primarily because of the vectors. You can host the image [on a malicious site] or send it [via an e-mail attachment."

Of the two patch updates pegged as important, MS07-059 fixes an elevation of privilege flaw in SharePoint Services 3.0 and Office SharePoint Server 2007, while MS07-058 plugs yet another hole in Windows' RPC (remote procedure call) component. Exploits could crash a system and force it to reboot, said Microsoft, and that led the company to classify the vulnerability as a denial-of-service bug.

"There have been endless RPC issues with Windows," Storms noted. The most infamous RPC bug was the one patched in August 2003 that was quickly exploited by the Blaster worm in massive attacks that caused considerable damage to computers worldwide.

But Storms said he thinks today's vulnerability is interesting more because of how Microsoft rated its threat level than because of the bug itself. "This illustrates that Microsoft has changed their rating of denial of service so that it's no longer considered critical," he said. "But I don't agree. Uptime is just as important as [information] confidentiality and integrity. If a system is unusable it means it's been compromised."

Also of interest, said Storms, was what wasn't released today.

For the second consecutive month, Microsoft pulled an update from the list it had released just five days earlier. This time, it dropped an update that was to have patched Windows 2000 SP4 and all versions of Windows Server 2003. Last week, Storms speculated that the patch targets may indicate a vulnerability in a service run only on servers. "If that is in fact the case," he said today, "then the fix is probably much more complicated and the vulnerability impacts more core code. That means Microsoft would expend much more [quality assurance effort] around it, which might explain the delay."

Although Microsoft did not notify users of its decision to yank a bulletin -- something it has done in the past, either by posting on the Microsoft Security Response Center blog or by revising the advance notification alert -- Symantec Corp. knew one was going to be spiked. In an alert issued Friday to customers of its DeepSight threat network, Symantec said that only six updates would be released today.

Symantec declined to say how it knew of the decision or whether it was given prior notice by Microsoft. Cross also had no comment when asked if IBM's X-Force knew beforehand that the seventh update had been withdrawn.

In a statement attributed to Mark Miller, director of security response communications at Microsoft, and forwarded to Computerworld by the company's public relations team, Microsoft said its policy is not to revise the advance notification when minor changes are involved. "When significant changes are made to the release, Microsoft will normally notify customers through a re-release of the [advanced notification] and all accompanying communications," Miller said.

print this article

Return to internet news headlines
View Internet News Archive

Share with: