Network administrators who have their hands full testing the newly-released Windows XP Service Pack 2 (SP2) got some relief from Microsoft Corp. Tuesday. The software giant issued just one security update for August for a "moderate" Outlook Web Access flaw.
MS04-026 fixes a newly-discovered cross-site scripting and spoofing vulnerability in Outlook Web Access for Exchange Server 5.5, the software giant said in a statement. The flaw could be exploited to launch a script insertion attack.
"An attacker who successfully exploited the vulnerability could manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches," Microsoft said. "They may also be able to exploit the vulnerability to perform cross-site scripting attacks. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user." Exploiting this flaw requires user interaction, the advisory noted.
Information security experts were encouraged to see only one update. The testing and deployment of SP2 is more than enough to keep IT practitioners busy for the next month, they said.
"Now people can take the next month and just focus on using SP2 in the lab," said Eric Schultze, chief security architect for Shavlik Technologies of Roseville, Minn. "It's a very good thing that they won't have a lot of new patches to deal with on top of that."
Alfred Huger, senior director of security response for Cupertino, Calif.-based Symantec Corp., agreed. "It's critical people have the time to carefully look at SP2. More time is always better."
Still, Huger said, network managers shouldn't put off acting on MS04-026. "People are sometimes lulled into a false sense of security when they see something that is only listed as moderate. All vulnerabilities must be addressed, because you never know which one will be exploited."
Microsoft also re-released MS04-020, updating its Interix program to resolve a privilege elevation vulnerability in the POSIX subsystem. An attacker who successfully exploited this flaw could take complete control of an affected system to install programs; view, change or delete data or create new accounts with full privileges.
In recent months, the software giant's security updates have sent systems managers scrambling. Seven updates were released in July; a whopping 21 in April. Late last month, the company released an out-of-cycle update to fix multiple security glitches in Internet Explorer.
Microsoft's patch announcement also reminded customers that SP2 is now available to enterprise network administrators. "SP2 delivers the latest security updates and innovations from Microsoft, establishes strong default security settings, and adds new proactive protection features that will help better safeguard computers from hackers, viruses and other security risks," the company said.
SP2 is designed to make Windows XP more ironclad against attackers who have successfully exploited its multiple security holes, most recently in the form of Sasser, Dowload.ject and new strains of Mydoom. Among its security enhancements, SP2:
- Turns on the Internet Connection Firewall (ICF) by default, closes ports except when they're in use and improves the firewall configuration interface.
- Recompiles core Windows components to make the OS more resilient to malware-induced buffer overruns.
- Arranges default settings in Outlook Express and Windows Messenger more securely.
- Improves Internet Explorer controls and user interfaces to block malicious ActiveX controls and spyware.
Information security experts have recommended systems managers take a slow approach to SP2, testing it to make sure it's compatible with other applications on their networks.