Update: Microsoft's fixes 23 flaws, DHS urges action

Updated: Microsoft releases a dozen August security updates, nine critical. The Department of Homeland Security says one fix in particular should be implemented immediately.

Update: IT administrators have a brutal month of patching thanks to Microsoft's Tuesday release of 12 security bulletins covering a range of problems in Windows, Office and Internet Explorer, and the government is urging quick action.

The biggest threat
Security experts agree the bulletin to take most seriously is MS06-040, which addresses a remotely exploitable buffer overrun flaw in the Windows Server Service.

In fact, even the U.S. Department of Homeland Security, which rarely involves itself in such minutiae, sent out a public advisory Wednesday urging those using Windows to install the MS06-040 patch as soon as possible. The U.S. Computer Emergency Readiness Team (US-CERT) , which is operated jointly by DHS and Carnegie-Mellon University, also has been briefing CIOs and CISOs on the severity of the flaw and is working with the industry ISACs to stress the importance of installing the fix.

On the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies LLC, Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security Inc., said IT professionals should focus on getting this patch deployed before any others. "This vulnerability was being actively exploited in the wild," he said, "however no previous details had been released on it publicly."

Amol Sarwate, director of Qualys' vulnerability research lab, said the flaw addressed in MS06-040 is the only one in this month's batch that an attacker could exploit without user interaction. "This is the most critical and users should take it the most seriously," he said. "But all the other critical bulletins can't be taken lightly because they are spread all over the operating system."

Exploits circulating
In all, nine of the bulletins have been deemed critical and a total of 23 security holes have been fixed in this month's release, including previously exploited Windows and PowerPoint flaws.

"With 23 flaws, this is easily one of Microsoft's largest patch releases, and this batch covers a broad range of applications," said Jonathan Bitle, manager of the technical accounts team for Redwood Shores, Calif-based Qualys Inc. "Because we're seeing so many client-side flaws each month, we can't highlight enough the need for user education -- not just a need for patching, but for education among all employees on what kinds of Web sites and files are acceptable or not."

Microsoft described the critical flaws as those an attacker could exploit to take complete control of an affected system. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the vendor said in its advisories.

As expected, several examples of exploit code were already circulating Wednesday morning. The Bethesda, Md.-based SANS Internet Storm Center (ISC) noted on its Web site that the exploit code is designed to target the vulnerabilities described in MS06-040, MS06-042 and MS06-046.

"Those of you still testing patches ... better hurry up and get some of these fixed before you get hit," ISC handler Swa Frantzen wrote on the site.

A monster IE fix
One of the best examples is

MS06-042, the latest cumulative update for Internet Explorer (IE) that fixes eight different security holes, Sarwate said. According to Microsoft, the bulletin addresses:

Two flaws in how IE handles redirects. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page," Microsoft said. "An attacker who successfully exploited this vulnerability could read file data from a Web page in another IE domain."

Two flaws in how IE interprets HTML with certain layout positioning combinations. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

A flaw in how IE handles chained Cascading Style Sheets (CSS). "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

A flaw in how IE instantiates COM objects that are not intended to be instantiated in the browser. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

Script can be used to access the location of a Window in another domain or Internet Explorer zone. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page," Microsoft said. "An attacker who successfully exploited this vulnerability could gain access to the Window location of a Web page in another domain or Internet Explorer zone."

A flaw in how IE handles specially crafted FTP links that contain line feeds. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link," Microsoft said. "An attacker who successfully exploited this vulnerability could issue server commands as the user to servers."

Metasploit Framework creator H.D. Moore released at least one new browser flaw a day last month as part of his self-titled "Month of Browser Bugs" project, and Sarwate believes that's why the August IE update is so large. Plus, from what he can tell, this update didn't even address all the known IE flaws.

Inside MSRC

In a special partnership with Microsoft, Christopher Budd, security program manager with the Microsoft Security Response Center (MSRC), offers SearchSecurity.com readers his exclusive detailed analysis of the software giant's monthly security bulletins.

Inside MSRC: Time to rethink security workarounds
"It will probably take Microsoft two Patch Tuesdays to fix everything," he said.

Other critical fixes
The remaining critical fixes for August are:

MS06-043, which addresses a remote code execution vulnerability in Windows that results from incorrect parsing of the MHTML protocol. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted email message," Microsoft said.

MS06-044, which addresses a remote code execution flaw in the Windows Management Console.

MS06-046, which addresses a flaw in the HTML Help ActiveX control. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page," Microsoft said.

MS06-047, which addresses a flaw in how Visual Basic for Applications (VBA) checks the document properties that a host application passes to it when opening a document. Microsoft Office applications are affected by this vulnerability, Microsoft said.

MS06-048, which addresses two Microsoft PowerPoint flaws that had already been disclosed in the past month. One flaw can be exploited when a file containing a malformed shape container is parsed by PowerPoint. The other flaw could be exploited when PowerPoint parses a file containing a malformed record.

MS06-051, which addresses two flaws: a privilege elevation vulnerability in how Windows 2000 starts applications, and a flaw in how exception handling is managed on multiple applications that are resident in memory.

Three 'important' fixes
Microsoft rated three security updates as "important" this month:

MS06-045, which addresses a flaw in how Windows Explorer handles drag-and-drop events. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious email message," Microsoft said.

MS06-049, which addresses a privilege-elevation flaw in Windows 2000 caused by improper validation of system inputs.

MS06-050, which addresses two flaws: an unchecked buffer in the code that is used for handling hyperlinks, and a malformed function that appears when hyperlinks are handled. An attacker could exploit the flaws by constructing a malicious hyperlink that could potentially lead to remote code execution if a user clicks a malicious link within a Microsoft Office file or email message. While this bulletin technically addresses a flaw within Windows, it is the cause of a zero-day flaw in Microsoft Excel that attackers could exploit to launch malicious code.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close