two
Volume 3, Number 31 -- September 13, 2006

Zero-Day Word Exploit Not Addressed in "Patch Tuesday Lite"

Published: September 13, 2006

by Alex Woodie

Microsoft issued three patches for security vulnerabilities yesterday, including one for a critical flaw in Office Publisher that could let attackers take control of affected systems. In addition to the low patch count, what was notable about yesterday's release of patches was the lack of a patch for the memory corruption flaw in Word 2000 that led to the zero-day "MDropper.Q" Trojan over the Labor Day weekend. Meanwhile, malware writers continue to target the vulnerabilities Microsoft fixed last month.

When Microsoft issued its monthly pre-release security patch advisory late last week, the vendor said to expect three patches, including one critical patch, and one for a flaw in Office. Many assumed that meant Microsoft would be addressing the vulnerability exploited by the MDropper.Q" Trojan, a so-called "zero-day" exploit because the malware and the underlying security vulnerability were discovered at the same time (see "Zero-Day Word Exploit Making the Rounds" in last week's issue of this newsletter.)

However, that wasn't the case, as the software giant has yet to fix the Word 2000 bug. The latest official communication form Microsoft on the topic is last week's Microsoft Security Advisory 925059, which says the company is still investigating the issue. Some experts have raised the possibility that Microsoft may elect to issue an out-of-cycle patch, which the vendor keeps threatening to do, but rarely actually does.

While it hasn't yet tackled the zero-day Word exploit, Microsoft did fix another critical vulnerability in its Office suite that could allow an attacker to take over an affected computer. The flaw, which is fixed with Microsoft Security Bulletin MS06-054, introduces the possibility of remote code execution when a user tries to open a malformed Publisher (.pub) file using one of the versions of Publisher shipped with Office 2000, Office XP, and Office 2003. Microsoft says the vulnerability was privately reported to Microsoft, and that it's not aware of any active exploits using this flaw.

Microsoft Security Bulletin MS06-053 fixes a cross-site scripting vulnerability in all current releases of Windows that could be used to steal personal information from users. A flaw in how the Microsoft IIS Web server's indexing service validates queries could allow an attacker to run a client-side script on behalf of a user. However, the components needed to successfully execute such an attack are not installed by default, which means this flaw poses only a moderate threat. Microsoft says the flaw was privately reported, and is not being actively exploited.

Microsoft Security Bulletin MS06-052 fixes an "invalid memory access" problem in Windows implementation of the Pragmatic General Multicast (PGM) protocol that could lead to remote code execution in Windows XP Service Pack 1 (SP1) and Windows XP SP2. Microsoft gives the PGM flaw an "important" rating (one step above moderate, but one step below critical) because the Windows service is needed to exploit this flaw, Microsoft Message Queuing Services (MSMQ) version 3.0, is not installed by default. Like the other two flaws fixed this week, Microsoft says the PGM flaw was privately reported, and is not being actively exploited.

Microsoft also published a non-security related security advisory that fixes an issue that is affecting some Windows users. The software giant says some users are receiving an error when they try to update a computer running a "minifilter-based application." Currently, the only minifilter-based application causing this behavior is the File Server Resource Manager (FSRM), which is only available on Windows Server 2003 R2. However, because many vendors are developing their own minifilter-based applications, Microsoft is encouraging all Windows 2000, Windows XP, and Windows Server 2003 users to download the update. You can read more about the update error at Microsoft Security Advisory 922582.

Meanwhile, the vulnerability disclosure-malware release lifecycle continues, with viruses, worms, and assorted malware continuing to exploit security vulnerabilities that Microsoft has already fixed, but which many Windows users around the world have failed to block by installing the patches. The most pernicious of these nasties are the class of worms exploiting the buffer overflow vulnerability in the Windows Server Service facility that Microsoft fixed a month ago with Microsoft Security Bulletin MS06-040. Check out the SANS Internet Storm Center for the latest information on what's going around.


RELATED STORIES

Zero-Day Word Exploit Making the Rounds

Worms Exploiting Windows Server Service Vulnerability

Microsoft Fixes 23 Security Vulnerabilities with 12 Patches

Sponsored By
LAKEVIEW TECHNOLOGY

Worried about MS Exchange and SQL data protection and availability?
Windows disaster recovery?
Want maximum uptime for your Windows environment?
There's only one solution.

Webcast

Learn how easy it is to protect Exchange and SQL data affordably. Provide disaster recovery for your Windows environment with no management headaches for you. Achieve maximum uptime for users. And count on rapid time to success with low TCO.

MIMIX. The One to Count On.

www.MIMIX.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus:  Develop, extend and deploy applications with Server Express and Enterprise Server
OpenLogic:  Install, integrate, test, manage, and learn over 120 open source projects with BlueGlue
COMMON:  Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida

 
THIS ISSUE SPONSORED BY:

Vision Solutions
World Data Products
MKS
Lakeview Technology
Wolf Computer Consulting



TABLE OF CONTENTS
Will the EC Mandate a "Windows Vista, Security-Less" Edition?

Microsoft and Cisco Play Nice on Security Interoperability

XenSource Begins Shipping XenEnterprise Hypervisor

Zero-Day Word Exploit Not Addressed in "Patch Tuesday Lite"

But Wait, There's More:

At Least They Didn't Name It "Windows Nova" . . . August CTP of Windows Server "Longhorn" Beta 2 Now Available . . . Microsoft Taps Insider to Head MBS Following Burgum's Departure . . . Symantec Launches 2007 Versions of Norton AntiVirus and Internet Security . . . Buyers Expect Softening in Server Spending in 2006 . . . webMethods to Buy Infravio for $38 Million . . .

The Windows Observer

BACK ISSUES

The Four Hundred
Details Emerge on Project Prometheus System i Promotion Efforts

Windows Consolidation with the System i: Is It Happening?

You Have Life Jackets, But Have You Ever Put One On?

Buyers Expect Softening in Server Spending in 2006

The Linux Beacon
IBM to Build 1.6 Petaflops Super for Los Alamos Lab

HP Completes Montecito Itanium Rollout into Integrity Servers

Buyers Expect Softening in Server Spending in 2006

XenSource Begins Shipping XenEnterprise Hypervisor

Big Iron
The Disk Drive at 50: Still Spinning

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Unix Guardian
HP Completes Montecito Itanium Rollout into Integrity Servers

SCO Continues to Struggle Against Linux in Q3

Intel to Cut 10,500 Jobs to Save $6 Billion

Companies Continue to Consume Massive Amounts of Storage


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement