A fix for a potentially major worm and some long-awaited repairs for Internet Explorer were among the 12 patches Microsoft issued for 23 vulnerabilities in today's Patch Tuesday announcements.
This was one of the largest Patch Tuesdays ever for Microsoft. Nearly half of the vulnerabilities are already known or in the wild. (See Microsoft to Issue 12 New Patches.)
Topping the "critical" list was a vulnerability in Windows' Server Service, MS06-040, which leaves servers open to worm attacks and can be exploited without any user action. As expected, the software giant issued a patch, a known zero-day PowerPoint hole, and 8 other critical remote-code execution holes: Three for Internet Explorer, three for Windows, and two others.
MS06-040 is a second pass at a fix Microsoft issued last month, #035, which attackers managed to circumvent, according to one researcher. (See The Patch Race Is On.) "This is the second patch for the same systems component," says Dan Peck, a researcher with SecureWorks. "[Microsoft has] found new vulnerabilities after someone hammered against the new patch."
But Marc Maiffret, CTO of eEye Digital Security, disagrees. He says this is no repatch but rather a fix for a new exploit in the wild that SANS and CERT helped identify. "The one last month was a vulnerability in the Windows kernal driver. This one is very different," Maiffret says, adding that it's an API DLL problem.
Either way, researchers agree this vulnerability is prime for a major worm attack because it lets an attacker take over a machine without any user interaction. But the exploit can only occur if file-sharing and print-sharing are activated, and these are typically turned off or protected in "more sophisticated organizations," says Amol Sarwate, director of Qualys' vulnerability research lab.
"This is the only one that must be applied very quickly," says Rob Enderle, principal analyst with the Enderle Group.
Microsoft also issued a patch for a Domain Name Server (DNS) vulnerability that would allow an attacker to set up a fake DNS server or fake responses to a legitimate one, says Dave Maynor, a researcher with SecureWorks. "But this would take some sophistication" to execute, he says.
Internet Explorer finally got its day today, too, with a cumulative update from Microsoft that addresses some bugs found by HD Moore's Month of Browser Bugs. (See Getting Buggy with the MOBB.) The software giant issued a patch for Internet Explorer 5 on Windows 2000, which exploits a cross-site scripting flaw. "That was long overdue," says Alain Sergile, technical product manager for X-Force/ISS.
Microsoft also patched a vulnerability in Microsoft Management Console that allows remote-code execution. Aside from PowerPoint, Microsoft also issued patches for Outlook Express. The good news for Windows XP users: XP didn't have the exposure that other Windows OS versions had in this Patch Tuesday release, says Enderle. "So XP users can sleep a little better."
Kelly Jackson Higgins, Senior Editor, Dark Reading