two
Volume 3, Number 35 -- October 11, 2006

Microsoft Fixes 26 Security Flaws, But Update Service Fails

Published: October 11, 2006

by Alex Woodie

It was a very busy Patch Tuesday for Microsoft security personnel yesterday, as the company issued 10 patches that fix 26 security vulnerabilities in its software, including six critical patches, three of which fix zero-day vulnerabilities. The company also had to scramble to get automatic updates back up and running after its Automatic Update service went down, further delaying the distribution of patches and setting Microsoft back a step at a critical juncture in the quickening war against malware and malware writers.

Organizations that rely on Microsoft's Automatic Update feature to alert servers and PCs of new updates and then to handle the downloading and installation process were left with few options yesterday as a network problem prevented the system from working, leaving unprotected millions of PCs around the world that would normally have gotten the updates.

Even users who manually initiated Automatic Update were left with a screen telling them that there were no updates. Only users who had the technical knowledge to manually download the updates from Microsoft's TechNet Security Center could access the patches. Organizations with many PCs to patch then needed to distribute these patches using a patch management tool from Microsoft or another vendor, or a technically savvy administrator could distribute them by writing a script.

Considering the fact that three of the critical vulnerabilities are being actively exploited by malware circulating the Internet, the problem with Automatic Updates could not have come at a worse time.

Security research firm Qualys advised Windows shops to download only the three most critical patches that fix several zero-day exploits, including Security Bulletin MS06-057, Security Bulletin MS06-058, and Security Bulletin MS06-060. Altogether, these three patches address nine critical vulnerabilities.

Security Bulletin MS06-057 is a critical patch that fixes the recently discovered, zero-day WebViewFolderIcon vulnerability in the Windows Shell. This vulnerability, which spawned a third-party patch from the Zeroday Emergency Response Team two weeks ago, was responsible for zero-day attacks circulated via malicious ActiveX objects.

Security Bulletin MS06-058 fixes four critical vulnerabilities in PowerPoint that attackers could use to take control of an effected system. One of the PowerPoint flaws had been publicly disclosed, and is being actively exploited on the Net by attackers who try to get unsuspecting users to open maliciously crafted PowerPoint documents. The other three flaws were privately reported to Microsoft and have not been the basis for malware attacks (although, if history is any guide, that is likely to change in the days to come).

Security Bulletin MS06-060 fixes four critical vulnerabilities in Microsoft Word that could give attackers total control of a computer. Three of the vulnerabilities were privately disclosed to Microsoft, and therefore haven't been the basis for attacks (yet). One of the vulns, however, is being actively exploited to spread malware when a user opens a maliciously crafted Word document.

Another critical patch is Security Bulletin MS06-059, which fixes four vulnerabilities in all recent versions of Excel (four is the magic number, and the magic number is . . . ) Two of these flaws have been disclosed in the public arena, according to Microsoft, although it says it hasn't seen any exploit code utilizing the flaws to launch attacks or circulate malware.

Security Bulletin MS06-061 addresses two critical vulnerabilities affecting Microsoft's XML Parser 2.6 and XML Core Services 3.0 , which are circulated with all current operating systems, as well as Office Service Pack (SP) 1 and SP2. Microsoft says this flaw, which could be exploited with a specially crafted Web page, was privately disclosed.

The last of the critical vulnerabilities, Security Bulletin MS06-062, fixes four (there's that number again!) flaws in Office that could allow an attacker to take complete control of a system. Only one of these flaws--the Office Smart Tag Parsing Vulnerability--had been publicly disclosed before yesterday, Microsoft says, although the company says it's not aware of any attacks exploiting this flaw.

Microsoft issued one patch, Security Bulletin MS06-063, that fixes two flaws it rates as "important." These flaws fix a flaw in the Windows server service that could be exploited to launch a denial of service attack, according to Microsoft.

John Bitle, a senior product manager with Qualys, says this vulnerability was an unexpected addition to Microsoft's batch of patches. "63 kind of caught us off-guard," he says. It was surprising to see "another vulnerability in the server service so quickly," a reference to Security Bulletin MS06-040, issued in August, which later was used to launch worm attacks, and Security Bulletin MS06-035, which was released in July. This flaw should probably be kept an eye on.

Besides the network outage that caused the hiccup in Automatic Update, it wasn't a particularly noteworthy Patch Tuesday, Bitle says. "It was almost a catch up, with the number of zero days addressed in this release," he says.

A monthly pattern has emerged between Microsoft and malware writers. Not only will malware writers begin to take advantage of all the new vulnerabilities that Microsoft discloses to the world on the second Tuesday of every month, malware writers that are keeping their own discoveries of flaws in Microsoft products secret are timing the release of their creations to Patch Tuesday.

"It's interesting," Bitle says. "People are timing the release in just such a way that it comes right after Microsoft patches. If you look over the summer there have been a number of instances that's occurred, where they've released exploit code for a vulnerability that wasn't addressed after Microsoft releases patches for he month, and that has kept Microsoft scrambling."

Other less-important, but still noteworthy, patches issued yesterday include:

  • Security Bulletin MS06-056, which addresses a "moderate" cross-site scripting vulnerability in .NET Framework 2.0 that carries the risk of information disclosure.
  • Security Bulletin MS06-065, which fixes a privately disclosed vulnerability in the Windows Object Packager that could allow remote execution. Microsoft gave it a "moderate" rating.
  • Security Bulletin MS06-064, which fixes three publicly disclosed vulnerabilities in Windows TCP/IP v6 services that could allow an attacker to launch a denial of service attack. Although these problems have been publicly disclosed, they carry a low risk of exploitation, as they have not been actively used on the Internet.

Microsoft did not respond to an e-mail requesting information concerning the Automatic Update outage.

Microsoft will be hosting a Webcast today at 11 a.m. PT to discuss the patches. Interested parties can register at Microsoft's TechNet Security Center at www.microsoft.com/technet/security/default.mspx.



Sponsored By
VISION SOLUTIONS

Are you managing your downtime effectively?

Managed Availability and Business Continuity center on the elimination of downtime or, at least, mitigating its impact on an organization.

Download Vision Solutions' white paper "Understanding Downtime" and explore common topics associated with downtime. Use the Annual Cost of Downtime Worksheet (included) to help calculate downtime costs relative to your business.

Download the white paper today at
www.visionsolutions.com



Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus:  Develop, extend and deploy applications with Server Express and Enterprise Server
Wolf Computer Consulting:  Reliable service and affordable rates for business computing needs
COMMON:  Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California

 
THIS ISSUE SPONSORED BY:

Vision Solutions
OpenLogic
Lakeview Technology
World Data Products
MKS



TABLE OF CONTENTS
Microsoft Fixes 26 Security Flaws, But Update Service Fails

Microsoft Tightens the Screws on Windows Pirates

Gateway Rolls Out Xeon Servers, Readies Opterons

Microsoft Talks Up 'Real World' SOA

But Wait, There's More:


Microsoft Issues, Then Pulls, Windows Vista RC2 . . . California Manufacturer Replaces Oracle with Dynamics AX . . . Itanium Platform Boasts More Than 10,000 Applications . . . Gartner Says a Quarter of Software Sales to Go SaaS By 2011 . . . IBM Tackles Data Center Cooling with Services Offering . . . IBM Boosts Support For Composite Apps, Windows, and Unix with Cluster Middleware . . .

The Windows Observer

BACK ISSUES

The Four Hundred
Details Emerge on Possible "Work Stream" Entry i5 Server

System i Vendors Merge as Help/Systems Acquires ASC

Legacy Application Modernization Strategies Hinge on SOA

As I See It: History Makers

The Linux Beacon
Terra Soft to Build Cell-Based Super Out of PS3 Beta Iron

Gateway Rolls Out Xeon Servers, Readies Opterons

Itanium Platform Boasts More Than 10,000 Applications

As I See It: History Makers

Big Iron
Legacy Application Modernization Strategies Hinge on SOA

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Unix Guardian
Bang for the Buck: Entry Unix Servers Compete with Linux and Windows

Sun Wheels and Deals to Push Servers and Storage

OpenSparc Project Taps Advisory Board, Sees Linux Momentum

VMware Extends ESX Server to 64 Bits, Betas New P2V Converter


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement