Microsoft this week issued three critical and one important patch for an assortment of its products. However, the...
security community appears concerned with the length of time it took the software giant to produce one of the critical patches -- more than nine months from its initial reporting -- and publicly released exploit code.
A buffer overrun in the remote debug functionality of FrontPage Server Extensions running on Windows 2000 and XP could allow an attacker to run code with local privileges. FrontPage Server Extensions also contains a denial-of-service flaw in SmartHTML interpreter, a set of dynamic link library files that support dynamic Web content.
"Exploit code targeting the vulnerability in MS-051 has been published," says David Kennedy, director of research services at TruSecure. "Front Page is exposed because its function is to update content. Front Page is also commonly used in a Web hosting environment thus an attacker could exploit one server and leverage that to additional servers at the same host, even ones not running Front Page."
Meanwhile, the Full Disclosure security mailing list is humming with criticism that it took Microsoft so long to patch the vulnerability.
Brett Moore of Security-Assessment.com, a provider of intrusion testing and security code review, says he reported the flaw to Microsoft on Jan. 30.
"We were somewhat amazed at the length of time it took based on previous advisories that we have given them, although Microsoft were proactive in keeping us up to date as to the progress and in dialogue they took it really seriously," Moore said.
Moore added that Microsoft said the released was delayed on several occasions because of internal issues.
"Perhaps it was given a lower priority by them, as it is not a module that is installed by default, and generally is a dll that it is against best practice to have installed," Moore said. "I do note however that the reason they have released it with a 'Critical' rating is due to the potential for worm activity associated with this vulnerability."
Moore also pointed out that the original advisory has been updated and refutes an initial report that this is a root-level exploit.
"You will see they have now updated their advisory to reflect the fact that access is only under the 'IWAM_machinename' account, which is similar to a guest account, with limited access," Moore said.
Microsoft was unable to comment by press time.
Other patches include a cumulative update to correct five new flaws in IE 5.01/5.5/6.0. Another critical alert was issued for Workstation Service in Windows 2000/XP and Front Page Server Extensions in Windows NT/2000/XP/Server 2003. Microsoft also released less severe warnings about flaws in Office applications, Word and Excel. Both flaws could allow remote code execution.
Microsoft recommends administrators install the critical patches immediately.
FOR MORE INFORMATION: