There were no big surprises among Microsoft's Patch Tuesday releases today, but there were a couple of holes Microsoft kept under wraps until now.
Microsoft issued five "critical" (the most severe ranking) and two "important" vulnerability bulletins. Among the critical vulnerabilities were its expected patches for two key Excel holes that allow an attacker to remotely take control of a user's machine. Microsoft also patched a not-so-well-known hole in Windows that leaves a DHCP client open for attack, as well as one in Windows XP, 2003, and 2000 SP4 servers that was credited to H.D. Moore, the researcher whose very public vulnerability disclosures had previously irked Microsoft. Microsoft also issued an "important" rating for an IIS vulnerability that lets an attacker control a machine but only if he has valid logon credentials.
But it was the critical holes that caught most security experts' and managers' attention. "Anything that is ranked as critical and allows an attacker to take control of a system is very high priority," says Rob Enderle, president of Enderle Consulting. "Once a system is seized it can be used to penetrate other systems that otherwise would be more secure."
Although there were no real show-stoppers among the patches, the sheer number of vulnerabilities they cover is notable. Monty Ijzerman, senior manager of McAfee's global threat group, points out there were eight vulnerabilities for Excel and five for Office among the security bulletins. "That's significant. I don't think we've ever before seen so many vulnerabilities in Office applications." And two of the Excel vulnerabilities were already being exploited in the wild in targeted attacks, he adds.
In a related Windows security development, the French Security Incident Response Team (FrSIRT) today revised an alert it had posted on a Windows vulnerability after researchers discovered the bug doesnt allow the attacker to take control of the user's system after all -- something FrSIRT had reported in its initial alert. (See On Your Mark, Get Set... Patch.) The vulnerability is exploitable via a denial-of-service attack, which FrSIRT had also initially reported. At press time, Microsoft had not responded to inquiries on whether the new patches address this vulnerability.
Meanwhile, for an attacker to exploit the DHCP vulnerability in Windows, he must be on the same local network as the machine he's targeting, says David Maynor, senior security researcher for SecureWorks. "A botmaster might integrate it into a bot on a machine that's already compromised so it can compromise additional machines." It can also bypass personal firewalls because, unlike enterprise firewalls, these devices allow DHCP traffic, he says. "Many [personal] firewalls already have vulnerabilities because they have DHCP enabled."
Patching the vulnerability in the Windows Server Service, meanwhile, should also be a priority for enterprises, says McAfee's Ijzerman. "You should jump on any server-side vulnerability quickly."
Windows 2000 and XP SP1 are most in danger of the Server Service hole because by default they activate this service, he says. "An anonymous user from outside could deliver malicious traffic."
The zero-day flaw in Excel was among the fixes in Microsoft's security patches, as well as the recent zero-day vulnerability in PowerPoint, Word, and Excel. Missing, however, was a patch for Excel's Hlink buffer overflow exploit hole, Ijzerman says.
"It's not too surprising to find a bunch of Excel and Office vulnerabilities in here," says Jonathan Singer, a Yankee Group analyst. "This will continue until we've caught all the big ones."
If there was a theme in Microsoft's latest security patch release it was remote-code execution, where an attacker runs malicious code on your machine to gain control of it. "It's the Holy Grail of hacking," SecureWorks' Maynor says.
Now the race is on for enterprises to test and install their patches before hackers can exploit these vulnerabilities. New attacks are likely to emerge over the next few weeks now that the cat's out of the bag on threats Microsoft had kept close to the vest, especially the ones on DHCP, Server Service, and IIS.
"The problem with Patch Tuesday is Hack Wednesday," says Gary McGraw, CTO at Cigital. "Patches make great attack maps for attackers. And a lot of people don't bother applying patches, so the attackers will take advantage of that."
Says Maynor: "I wouldn't be surprised if you saw an exploit being publicly released tonight or tomorrow."
Microsoft's next patch release comes on -- you guessed it -- Tuesday, August 8.
Kelly Jackson Higgins, Senior Editor, Dark Reading