Zero-Day Word Exploit Not Addressed in "Patch Tuesday Lite"
Published: September 13, 2006
by Alex Woodie
Microsoft issued three patches for security vulnerabilities yesterday, including one for a critical flaw in Office Publisher that could let attackers take control of affected systems. In addition to the low patch count, what was notable about yesterday's release of patches was the lack of a patch for the memory corruption flaw in Word 2000 that led to the zero-day "MDropper.Q" Trojan over the Labor Day weekend. Meanwhile, malware writers continue to target the vulnerabilities Microsoft fixed last month.
When Microsoft issued its monthly pre-release security patch advisory late last week, the vendor said to expect three patches, including one critical patch, and one for a flaw in Office. Many assumed that meant Microsoft would be addressing the vulnerability exploited by the MDropper.Q" Trojan, a so-called "zero-day" exploit because the malware and the underlying security vulnerability were discovered at the same time (see "Zero-Day Word Exploit Making the Rounds" in last week's issue of this newsletter.)
However, that wasn't the case, as the software giant has yet to fix the Word 2000 bug. The latest official communication form Microsoft on the topic is last week's Microsoft Security Advisory 925059, which says the company is still investigating the issue. Some experts have raised the possibility that Microsoft may elect to issue an out-of-cycle patch, which the vendor keeps threatening to do, but rarely actually does.
While it hasn't yet tackled the zero-day Word exploit, Microsoft did fix another critical vulnerability in its Office suite that could allow an attacker to take over an affected computer. The flaw, which is fixed with Microsoft Security Bulletin MS06-054, introduces the possibility of remote code execution when a user tries to open a malformed Publisher (.pub) file using one of the versions of Publisher shipped with Office 2000, Office XP, and Office 2003. Microsoft says the vulnerability was privately reported to Microsoft, and that it's not aware of any active exploits using this flaw.
Microsoft Security Bulletin MS06-053 fixes a cross-site scripting vulnerability in all current releases of Windows that could be used to steal personal information from users. A flaw in how the Microsoft IIS Web server's indexing service validates queries could allow an attacker to run a client-side script on behalf of a user. However, the components needed to successfully execute such an attack are not installed by default, which means this flaw poses only a moderate threat. Microsoft says the flaw was privately reported, and is not being actively exploited.
Microsoft Security Bulletin MS06-052 fixes an "invalid memory access" problem in Windows implementation of the Pragmatic General Multicast (PGM) protocol that could lead to remote code execution in Windows XP Service Pack 1 (SP1) and Windows XP SP2. Microsoft gives the PGM flaw an "important" rating (one step above moderate, but one step below critical) because the Windows service is needed to exploit this flaw, Microsoft Message Queuing Services (MSMQ) version 3.0, is not installed by default. Like the other two flaws fixed this week, Microsoft says the PGM flaw was privately reported, and is not being actively exploited.
Microsoft also published a non-security related security advisory that fixes an issue that is affecting some Windows users. The software giant says some users are receiving an error when they try to update a computer running a "minifilter-based application." Currently, the only minifilter-based application causing this behavior is the File Server Resource Manager (FSRM), which is only available on Windows Server 2003 R2. However, because many vendors are developing their own minifilter-based applications, Microsoft is encouraging all Windows 2000, Windows XP, and Windows Server 2003 users to download the update. You can read more about the update error at Microsoft Security Advisory 922582.
Meanwhile, the vulnerability disclosure-malware release lifecycle continues, with viruses, worms, and assorted malware continuing to exploit security vulnerabilities that Microsoft has already fixed, but which many Windows users around the world have failed to block by installing the patches. The most pernicious of these nasties are the class of worms exploiting the buffer overflow vulnerability in the Windows Server Service facility that Microsoft fixed a month ago with Microsoft Security Bulletin MS06-040. Check out the SANS Internet Storm Center for the latest information on what's going around.
Zero-Day Word Exploit Making the Rounds
Worms Exploiting Windows Server Service Vulnerability
Microsoft Fixes 23 Security Vulnerabilities with 12 Patches