Updated Friday, Jan. 12 with details on a working exploit for the VML flaw fixed in MS07-004.
Security experts were somewhat surprised Microsoft's first security update of the year didn't include patches for zero-day flaws in Word. But they believe the company is doing its best to stay ahead of the bad guys, and that an out-of-cycle patch for the flaws is very likely.
In the meantime, IT administrators say they're confident their security procedures are layered enough to block the threats until the software giant can deliver a fix. Besides, they say, a late patch is better than a quick one that causes network compatibility problems.
"Microsoft WSUS (Windows Server Update Services) is just one of our defenses," Brian Joyce, IT director of Chattanooga, Tenn.-based accounting firm Joseph Decosimo and Co., said of the software giant's patch delivery tool. "We know that process isn't perfect so we don't rely solely on WSUS to protect us from exploits. It is one piece in our defense-in-depth strategy."
Joyce, who was interviewed by email, said his IT shop relies on several additional layers of security hardware and software. This includes tools that scan, filter, trap, block and quarantine unwanted network traffic in real time.
John Hornbuckle, IT administrator for the Taylor County School District in Perry, Fla., said in an email exchange that he does worry about flaws going unpatched for at least another month. But he said that's better than getting a patch that isn't thoroughly tested.
"I've got around 2,000 machines on my network, and the thought of pushing down a patch that ends up causing problems on that many machines is enough to keep me up at night," he said.
An out-of-cycle fix?
While no one can predict with certainty what Microsoft might do, two patch management specialists say chances are good that IT administrators won't be waiting long for a Word patch.
"The big question is whether there will be an out-of-cycle patch for this," said Chris Andrew, vice president of security technologies for Scottsdale, Ariz.-based vulnerability management firm Patchlink Corp. "With them pulling back on four updates, it wouldn't surprise me to see them release something out of cycle."
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said he was surprised the Word flaws went unfixed since they've been exposed for at least a month. He agreed with Andrew that an out-of-cycle fix is likely.
"I definitely think there will be an out-of-band patch," he said. "The flaws are known to Microsoft and they are being exploited. The security update is probably ready except for some final verifications. If I were them, I'd release it as soon as it's ready."
While IT administrators await Microsoft's next move, Andrew and Sarwate suggest they focus for now on the quick deployment of patches that were released Tuesday.
MS07-003 fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file. The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft warned in the bulletin. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."
MS07-004 fixes a flaw in the Vector Markup Language (VML) implementation within the Windows operating system. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said. The update is a big one because the flaw affects all versions of Internet Explorer (IE), including the recently-released IE 7.
As most security experts expected, a working exploit for the VML flaw was quickly released. The exploit was released on a limited scale by the partners program of Miami Beach, Fla.-based Immunity Inc. On its Web site, the security software and consulting firm boasted that it published the exploit less than three hours after the flaw was announced.
For the most part, IT administrators and patch management vendors believe Microsoft is doing a good job keeping up with a steady stream of security threats.
"I think they're doing a good job at not releasing junk," Andrew said. "They're doing the best they can to balance the risk. It's good to see them doing the necessary testing, even though it opens the door to more exploits."
Sarwate said Microsoft is doing okay keeping up to date on zero-day threats, especially given the dramatic increase in such threats in the past year. Microsoft is in a tough position because flaw finders are timing their disclosures in a way that maximizes the window of vulnerability, he said.
"A lot of these are made public just before Patch Tuesday so Microsoft doesn't have time to address it that month, or they release it right after Patch Tuesday to expand the amount of time that the flaw will go unpatched," he said.
Hornbuckle said Microsoft has come a long way and is doing a much better job on security compared to several years ago, though he still doesn't trust the company enough to deploy its patches the second they are released.
"What I generally do is wait and watch the online community for reaction from those who immediately apply the patch," he said. "If I don't see a negative trend, I'll apply it to my own machine, then to all of the machines in my department, then to my office complex, then on out to the rest of my network."
At each step of the rollout, he said, it takes time to test and make sure the patch hasn't broken anything. The process can take a week or two, depending on how much testing is needed at each phase.
At the very least, Microsoft deserves credit for improving its communications with customers regarding new threats, workarounds and fixes, Glenn Hill, IT security manager for Northeastern University in Boston, said in an email exchange.
"While one hopes the necessity for applying patches will decline along with greater attention being paid to security during product development, it is my observation Microsoft has made significant strides in how they communicate and deliver patching services," he said.