Microsoft's flurry of security bulletins this week made October the busiest month on record and has undoubtedly...
sent thousands of administrators scrambling to test and deploy fixes for some serious flaws that could quickly be exploited by worm writers.
Microsoft issued 10 security bulletins Tuesday, seven of them critical. The bulletins aim to patch a total of 22 newly discovered vulnerabilities -- a new record for the software maker's monthly Patch Tuesday program, according to a Microsoft spokesperson. The vulnerabilities include holes that an attacker could use to cause a denial of service, view sensitive data or launch malicious code.
Experts said IT managers should act fairly rapidly in getting the patches tested and deployed, because any number of the vulnerabilities -- especially those that affect Internet-facing systems -- could be quickly exploited by newly created or updated network intruders.
Mark Loveless, lead security researcher at the BindView Corp., a Houston-based security and patch management vendor, said he's not trying to be an alarmist when he suggests that admins act fast in deploying the patches. It's just that the time it takes from the discovery of a bug to the introduction of a virus or worm that exploits that bug has narrowed considerably in recent years.
"The timeframe on that used to be months, and now it has shrunk to weeks and even days," Loveless said.
Patch Tuesday -- or Black Tuesday, as many administrators have taken to calling it -- is the second Tuesday of each month, when Microsoft releases the newest fixes for its Windows operating system and related software. The bulletins released on the most recent patch cycle affect Windows NT, XP and Server 2003, as well as the Excel and Internet Explorer applications.
Microsoft on Tuesday also re-issued patch MS04-028 from last month, outlining critical vulnerabilities in the way some applications read and display .jpg picture files. The re-release only affects Office XP applications for customers using XP Service Pack 2.
Highly 'wormable' flaws
Loveless explained that the vulnerabilities most likely to be exploited are those that affect public or Internet-facing systems. These include, but are not limited to, the newly discovered vulnerability within the Network News Transfer Protocol (NNTP), a potential exploit within the Windows Server 2003 SMTP (Simple Mail Transfer Protocol) component, and a flaw in NetDDE, which allows different applications to share documents across computers.
Loveless said that BindView considers the NetDDE flaw to be the most dangerous because oftentimes administrators don't even know it is turned on. The NetDDE software has shipped in every version of Windows since NT, and by default it is turned off. However, the security researcher pointed out, applications often turn it on unbeknownst to users.
"This is one of the ones that we felt is pretty bad," Loveless said.
The NNTP flaw is also particularly serious for similar reasons, according to BindView. This component is generally not turned on. However, in some circumstances, it doesn't need to be manually turned on to be exploited.
"I know, for example, that we had to apply that particular patch on BindView's Exchange server," Loveless said. "We weren't using NNTP, but another feature that we were using actually enabled it."
BindView and other patch management vendors that have been testing out the new Microsoft patches said they seem to work fine on Microsoft products, though they are likely to break some third-party and in-house applications if proper precautions aren't taken. They suggest that IT managers take the commonly recommended steps of prioritizing, conducting a risk assessment and testing out all of their non-Microsoft applications for compatibility with the new patches prior to mass deployment.
But these are sure to be daunting tasks, given the large number of vulnerabilities they have to contend with this month.
"It sounds simple at first. You just find your vulnerable systems and then you apply the patches," Loveless said. "The problem is finding the vulnerable systems."
The good news, said Brian Bartlett, a systems engineer with Ecora Software Corp., a patch management software vendor based in Portsmouth, N.H., is that seven of the 10 security bulletins focus on vulnerabilities that were privately reported. There is less of a chance that exploits for privately reported are already running rampant. While getting the fixes deployed for these flaws quickly is still important, privately reported bugs can generally be given a slightly lower priority.
In getting prioritized, "I think the best thing to do is read the executive summary closely and find out if this thing is out in the wild already," Bartlett said. "That will help an IT department determine if they should keep people here tonight or should address it in the morning."
How long it will take to get these patches tested and deployed will be different for each company and depends on the systems a company is using, the experts said. People with older versions of Windows will likely have a lot of work ahead of them.
"It's going to depend on what bug it is that they're patching for," Loveless said. "If you haven't migrated to Windows 2000, or XP or 2003, and you're all on NT and you've got 10,000 machines, then it's going to take you a long time to roll those out."
Microsoft urged to be more proactive
Tuesday's influx of new patches irritated some critics, who say that while Microsoft does a good job of releasing patches in a timely fashion when problems arise, they could do more to avert problems proactively.
"As Microsoft moves forward, their operating systems are going to have to be more secure to begin with," Loveless said. "They're going to have to ship them preconfigured in locked down modes and remove some of the extra software that isn't needed."
Note: This article originally apeared on SearchWindowsSecurity.com.