|
Microsoft Patches 17 Flaws in Client Products
Published: June 13, 2007
by Alex Woodie
Server operators could breath a little easier following the latest round of patches by Microsoft yesterday, but PC administrators must still be on guard. The Patch Tuesday event for June continued the recent spate of client-side vulnerabilities with four critical patches, one important patch, and one moderate patch fixing 17 separate security problems in Microsoft's client-side products. And at least one security expert contends Microsoft attempted to conceal a major programming gaffe in Windows Vista by labeling a flaw moderate instead of giving it the critical label it deserved.
The one Microsoft patch causing a little stir is Microsoft Security Bulletin MS07-032, which fixes what Microsoft has deemed a moderate information disclosure flaw in the 32-bit and 64-bit versions of Windows Vista. This flaw, which officially is called the Permissive User Information Store ACLs Information Disclosure Vulnerability, could allow a user with limited rights and privileges to access local user information data stores, including the user names and passwords of the system administrator.
While this flaw isn't, by itself, a remote code execution vulnerability, it could easily lead to one if a hacker signed onto the system using the administrator's user name and password. That's why Eric Schultze, chief security architect for security software researcher and developer Shavlik Technologies, believes that Microsoft is trying slip one by the unsuspecting masses.
"Microsoft is trying to pull a fast one and call the vulnerability moderate when it should be critical. If nothing else, as an unprivileged user, I now have access to become an administrator on my system," Schultze says. "[The password] might not be in clear text. It might be in hash that would have to be cracked. But any user has access to the file and registry information."
Schultze, who used to work in Microsoft's security department and has seen similar password problems before, has an idea how the vulnerability came to pass. "What it means is, during the upgrade process, they were recording the user names and password and writing it into a file. And after the upgrade, they either forgot to delete or erase the file," he says. "Microsoft is probably a little embarrassed about it. So they've been kind of ambiguous in their bulletin about what it is. They don't want to come out in their bulletin, because they'd get laughed at, and make people a little nervous." Microsoft credits Robbie Sohlman with discovering the flaw.
According to Amol Sarwate, research manager at security software vendor Qualys, two patches--Microsoft Security Bulletin MS07-031 and Microsoft Security Bulletin MS07-035--are the most critical patches released yesterday and should be applied first because they could lead to exploits activated by users simply viewing an infected Web site.
Microsoft Security Bulletin MS07-031 fixes a problem in the Secure Channel (Schannel) security package in Windows 2000, Windows XP, and Windows Server 2003. Schannel implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in these operating systems, and a problem with the handling of digital signatures could allow an attacker to take control of affected systems (Windows XP) or crash the server (Windows 2000 and Windows Server 2003). Microsoft credits Thomas Lim of the Singapore-based company COSEINC for finding and reporting the vulnerability, which Microsoft says is not being actively exploited.
Microsoft Security Bulletin MS07-035 also brings a remote code execution vulnerability to Windows 2000, Windows XP, and Windows Server 2003 systems. The patch fixes a problem with the way the Win32 API validates parameters, which could allow an attacker to take total control of a computer if they trick a user into visiting a malformed Web site. Microsoft credits Billy Rios of VeriSign with finding the Win32 API Vulnerability.
Microsoft Security Bulletin MS07-033 is a cumulative security update for Internet Explorer that addresses six separate remote code execution and spoofing flaws in versions 6 and 7 the popular Web browser. In each case, flaws in IE could allow an attacker to take total control of an affected system or potentially steal personal information from unsuspecting victims by tempting victims to maliciously formed Web pages. Microsoft credited a slew of individuals with finding the flaws, including an anonymous researcher with iDefense, Tom Cross with IBM's subsidiary, an anonymous researcher working with Tipping Point and the Zero Day Initiative, Sam Thomas of Tipping Point and the Zero Day Initiative, Will Doorman of CERT, and cocoruder (an Internet handle, apparently) of Fortinet Security Research with finding the flaws and reporting them to Microsoft.
Microsoft Security Bulletin MS07-034 fixes four flaws in Outlook Express and Windows Mail that make Windows Vista users vulnerable to remote code execution threats and make Windows XP and Windows Server 2003 users vulnerable to information disclosure. The patch fixes two previously unidentified flaws and two previously identified flaws. While two of the flaws had been previously identified, they weren't being actively exploited in the wild, Microsoft says. The software giant credits the SANS Internet Storm Center and Yosuke Hasegawa of WebAppSec.JP for working with and reporting the vulnerabilities to Microsoft.
The final patch, Microsoft Security Bulletin MS07-030, fixes a pair of remote code execution threats in Visio 2002 and 2003 that Microsoft has deemed "important" threats. (Important threats sit between critical and moderate flaws on the Microsoft threat severity scale. Although these are remote execution flaws, they weren't deemed critical because Visio is not turned on by default.) Microsoft says the vulnerabilities could be exploited over the Web or through e-mail. Chris Ries of Vigilant Minds was credited with finding one of the vulnerabilities; neither of the flaws had been previously reported or exploited in the wild, Microsoft says.
While none of the flaws fixed this week are currently being exploited, that is likely to change in the days and weeks to come, as hackers learn from Microsoft's disclosures, reverse engineer the patches, build tools that automatically exploit the vulnerabilities, and share their work with other like-minded individuals. That's why it's important to apply these patches as soon as possible to stay as far ahead of the game as possible.
While these flaws aren't being exploited, there are still public flaws in Microsoft products that are being exploited, Qualys' Sarwate says. " Noticeably absent from this month's release are fixes for the three zero days which became public in the April time frame," he writes. "They affect Word, Windows Help, and Office Publisher and are all buffer overflow vulnerabilities. Having said that, so far there have been no reported crucial code execution associated with them that would perhaps elevate their prioritization."
Microsoft also made some changes to its ANS (Advanced Notification System) this month "Overall, it is an improvement on the affected software matrix, providing more detail of severity, vulnerability impact, detection, and affected products for each patch," Sarwate notes. However, it's not all milk and honey. "Under the new system, it is not immediately evident how many problems will be remediated with each particular patch," he says.
Microsoft will be holding its regularly scheduled conference call today to discuss this month's patches. To sign up for the event, which starts at 11 a.m. Pacific Daylight Time, go to www.microsoft.com/technet/security/default.mspx.
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
