Microsoft patches 18 flaws

By Bill Brenner, News Writer 12 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Microsoft issued patches Tuesday to close 18 security holes in Internet Explorer, Windows, MSN Messenger, Exchange and Office. But this month's batch doesn't address recently discovered problems in the software giant's popular browser, e-mail and database programs.

"None of the recent vulnerabilities are fixed this month, but I didn't expect them to be fixed, either," said Mike Murray, director of vulnerability and exposure research for San Francisco-based security firm nCircle.

One of those vulnerabilities, discovered by the security research organization HexView, is in Microsoft's Jet Database Engine. Attackers could use a memory handling error in the program to launch malicious code. Danish security firm Secunia said the flaw is "highly critical" because exploit code has been posted to a public mailing list. Secunia confirmed the vulnerability on a fully patched system with Microsoft Access 2003 and Windows XP SP1/SP2.

Also unaddressed this month are two vulnerabilities in Internet Explorer and Outlook brought to light by Aliso Viejo, Calif.-based eEye Digital Security. The first "allows malicious code to be executed, contingent upon minimal user interaction," eEye said, adding that the problem affects Internet Explorer, Outlook and "additional miscellaneous titles." The second vulnerability has the same damage potential and also affects IE and Outlook.

As for this month's offerings, Murray and Mike Sutton, director of Reston, Va.-based iDefense Labs, agreed IT administrators should pay close attention to the patches that fix a variety of flaws in Windows and Internet Explorer.

Related Links Critical flaws in IE, Outlook Microsoft admits its Linux research is met with skepticism

Attackers could use "important" Windows shell and "moderate" message queuing vulnerabilities to launch malicious code, Microsoft said. They could also exploit "important" vulnerabilities in the Windows kernel as well as "critical" Transmission Control Protocol/Internet Protocol (TCP/IP) validation and reset flaws to gain escalated privileges, launch code and cause a denial of service.

A cumulative update for Internet Explorer closes "critical" security holes attackers could use to take over machines and install programs; view, change or delete data; and create new accounts with full user rights, Microsoft said.

"A lot of people use Internet Explorer, and exploits could occur just by browsing," Sutton said. "It's not difficult to exploit. And the TCP/IP flaws are something to pay attention to, because supposedly you can take a malformed IP packet and execute code. This puts a lot of [Windows] boxes in danger, especially in an enterprise setting."

Murray said code execution in the IP stack has the potential to be "super serious."

"All Windows boxes have an IP stack, so you're talking about something that's widely deployed," he said. "This is something that could be easily exploited."

Other fixes

Microsoft fixed another "critical" flaw that could let an attacker connect to the Simple Mail Transfer Protocol (SMTP) port on an Exchange server. A specially-crafted command could then be used to cause a denial of service or allow the attacker "to run malicious programs of their choice in the security context of the SMTP service," the company said.

A "critical" update for MSN Messenger fixes a security hole attackers could exploit to take over affected machines.

Finally, a "critical" update for Microsoft Word and Office fixes buffer overrun vulnerabilities an attacker could exploit to launch malicious code.

Microsoft also re-released two earlier bulletins. The first, originally issued in January, addresses two critical flaws in how cursor, animated cursor and icon formats are handled.

The second re-release, originally from February, fixes a glitch in Media Player, Windows Messenger and MSN Messenger an attacker could also use to take control of vulnerable machines.

The patch release came on a day when the blocker to Microsoft's SP2 download program expired. As the Bethesda, Md.-based SANS Internet Storm Center put it in a Tuesday-morning Web site message, "The Automatic-Download of Microsoft XP Service Pack 2 may soon happen on your network if your organization has opted out of the original update and does not maintain [its] own SMS or SUS servers."

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary