Only 17 days after Microsoft issued its April security bulletins, the Sasser worm exploited one of those flaws and rampaged through countless computer networks around the world. At the time, IT security experts warned that enterprises could no longer afford to patch as they go and that they must shift focus to new technologies that monitor suspicious activity and block attacks at the gateway.
That view hasn't changed. But while patching alone may not be enough to guarantee security, experts warn users not to grow complacent about it. Patches may not always work, can interfere with other programs and have even inserted additional vulnerabilities on occasion. But as Microsoft's seven security bulletins for July illustrate, malicious code writers have plenty of flaws to work with and leaving systems unpatched simply makes no sense -- especially since two of the problems are critical.
"If Microsoft says there is a critical problem with its software, companies should sit up and listen. All businesses should ensure they have the resources in place to see which of the vulnerabilities may affect them and apply the fixes as necessary," Graham Cluley, senior technology consultant for Lynnfield, Mass.-based antivirus firm Sophos, said in a statement. "In the past we have seen worms exploiting Microsoft security holes appear within a couple of weeks of Microsoft's announcement. Smarter businesses will be putting protection in place now rather than waiting to see if an attack
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
occurs."
David Perry, global director of education for Cupertino, Calif.-based IT security firm Trend Micro Inc., agreed. Nobody has seen any code that relates to the vulnerabilities in Microsoft's July bulletins, Perry said. But, he said, "If you look at past attacks, Nimda took almost a year to follow the announced vulnerability. Blaster took just under 30 days and Sasser took 17 days. The window is getting tighter between the bulletin and the attack. My advice to users is to install all the patches and do it early."
The July bulletins affect everything from Internet Explorer and Outlook Express to Windows NT, 2000 and XP.
The first critical vulnerability is in Task Scheduler. If a user is logged on with administrative privileges, an attacker who successfully exploited this hole could take remote control of an affected system to install programs, delete data or create new accounts with full privileges. The second critical update is for HTML Help and showHelp to fix holes an attacker could also use to take control of a machine.
Of the five remaining bulletins, four were rated as important and one as moderate. Among those ranked as important: a buffer overrun vulnerability in Internet Information Server 4.0 and a remote code execution vulnerability in how the Windows Shell launches applications. The moderate bulletin outlines a denial-of-service vulnerability in Outlook Express.
Thor Larholm, senior security researcher with PivX Solutions of Newport Beach, Calif., agreed the bulletins are worrisome. "The critical IE (Internet Explorer) vulnerabilities in MS04-023 affect almost all Internet users from Windows 98 through Windows XP," Larholm and his research team said in an e-mail. "These vulnerabilities are currently being actively exploited in the wild."