Microsoft handed IT managers a headache in the form of 10 security bulletins Tuesday, seven of them critical. They outline security holes an attacker could use to cause a denial of service, view sensitive data or launch malicious code. Multiple Windows products are affected, including NT, Excel, XP, Server 2003 and Internet Explorer.
The software giant also re-issued MS04-028 from last month, outlining critical .jpg vulnerabilities. The re-release only affects Office XP applications for customers using XP Service Pack 2.
Many IT practitioners probably shared the reaction of Bradley Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp.: "I think I'll take a Tylenol. And while that takes effect, I'll do some research on the fixes," he said by e-mail moments after the bulletins were issued.
Oliver Friedrichs, senior manager of Symantec Security Response, said enterprises should be particularly concerned about the content parsing and Internet Explorer flaws. "If you're worried about malicious code or the ability for someone to load spyware on your computer, the content parsing and IE vulnerabilities are most concerning," he said. "When enterprises are trying to prioritize where to patch first, that's where they should start."
This month's "critical" bulletins are:
MS04-032, which fixes multiple vulnerabilities an attacker could use to take complete control of an affected system to install programs; view, change or delete data; or create new accounts that have full privileges.
MS04-033, which fixes a vulnerability in Excel an attacker could also use to install programs; view, change or delete data; or create new accounts with full privileges. "Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges," the bulletin said.
MS04-034, which fixes a vulnerability in compressed folders that could allow many of the same exploits.
MS04-035, which fixes a vulnerability an attacker could use for many of the same exploits. "A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups," the bulletin said. "An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4."
MS04-036, which fixes a vulnerability within the Network News Transfer Protocol (NNTP) component of the affected operating systems. "This vulnerability could potentially affect systems that do not use NNTP. This is because some programs that are listed in the affected software section require that the NNTP component be enabled before you can install them," the bulletin said. Like the vulnerabilities listed above, an attacker could use this to take over machines, launch malicious code and cause other problems.
"This one is especially serious because if you're running the news service, you can be attacked by anyone in the network," said Ivan Arce, CTO of Boston-based Core Security Technologies, which reported the vulnerability to Microsoft Aug. 16. "Your server can be compromised internally or externally. It's an ideal attack vector."
MS04-037, which fixes a vulnerability in the Windows shell that could be exploited in similar fashion.
MS04-038, a cumulative security update for Internet Explorer fixing several vulnerabilities an attacker could use to take over machines and do many of the things outlined above.
This month's "important" bulletins are:
MS04-029, which fixes a vulnerability in the RPC Runtime Library that could allow information disclosure and a denial of service. "An attacker who successfully exploited the vulnerability could cause the affected system to stop responding or could potentially read portions of active memory content," the bulletin said.
MS04-030, which describes a vulnerability in the WebDAV XML Message Handler that could lead to a denial of service. "An attacker who successfully exploited this vulnerability could cause WebDAV to consume all available memory and CPU time on an affected server. This behavior could cause a denial of service. The IIS service would have to be restarted to restore functionality," the bulletin said.
MS04-031, which describes a vulnerability in NetDDE that could allow remote code execution. "However, the NetDDE services are not started by default and would have to be manually started, or started by an application that requires NetDDE, for an attacker to attempt to remotely exploit this vulnerability," the bulletin said.
Jon Oltsik, senior analyst of information security for Milford, Mass.-based Enterprise Strategy Group, said Microsoft has done better at streamlining its bulletin process and making updates easier to digest, but that 10 is a lot for IT managers to eat at once.
"It's an impossible job, when you have this many bulletins and hundreds or more desktops to look at," he said. "It's very difficult to figure out the best way to apply all these. My advice is to do a risk assessment. Prioritize. See what should be patched first and what can wait. And test everything, because anything that might break will break."