Microsoft Fixes 26 Security Flaws, But Update Service Fails
Published: October 11, 2006
by Alex Woodie
It was a very busy Patch Tuesday for Microsoft security personnel yesterday, as the company issued 10 patches that fix 26 security vulnerabilities in its software, including six critical patches, three of which fix zero-day vulnerabilities. The company also had to scramble to get automatic updates back up and running after its Automatic Update service went down, further delaying the distribution of patches and setting Microsoft back a step at a critical juncture in the quickening war against malware and malware writers.
Organizations that rely on Microsoft's Automatic Update feature to alert servers and PCs of new updates and then to handle the downloading and installation process were left with few options yesterday as a network problem prevented the system from working, leaving unprotected millions of PCs around the world that would normally have gotten the updates.
Even users who manually initiated Automatic Update were left with a screen telling them that there were no updates. Only users who had the technical knowledge to manually download the updates from Microsoft's TechNet Security Center could access the patches. Organizations with many PCs to patch then needed to distribute these patches using a patch management tool from Microsoft or another vendor, or a technically savvy administrator could distribute them by writing a script.
Considering the fact that three of the critical vulnerabilities are being actively exploited by malware circulating the Internet, the problem with Automatic Updates could not have come at a worse time.
Security research firm Qualys advised Windows shops to download only the three most critical patches that fix several zero-day exploits, including Security Bulletin MS06-057, Security Bulletin MS06-058, and Security Bulletin MS06-060. Altogether, these three patches address nine critical vulnerabilities.
Security Bulletin MS06-057 is a critical patch that fixes the recently discovered, zero-day WebViewFolderIcon vulnerability in the Windows Shell. This vulnerability, which spawned a third-party patch from the Zeroday Emergency Response Team two weeks ago, was responsible for zero-day attacks circulated via malicious ActiveX objects.
Security Bulletin MS06-058 fixes four critical vulnerabilities in PowerPoint that attackers could use to take control of an effected system. One of the PowerPoint flaws had been publicly disclosed, and is being actively exploited on the Net by attackers who try to get unsuspecting users to open maliciously crafted PowerPoint documents. The other three flaws were privately reported to Microsoft and have not been the basis for malware attacks (although, if history is any guide, that is likely to change in the days to come).
Security Bulletin MS06-060 fixes four critical vulnerabilities in Microsoft Word that could give attackers total control of a computer. Three of the vulnerabilities were privately disclosed to Microsoft, and therefore haven't been the basis for attacks (yet). One of the vulns, however, is being actively exploited to spread malware when a user opens a maliciously crafted Word document.
Another critical patch is Security Bulletin MS06-059, which fixes four vulnerabilities in all recent versions of Excel (four is the magic number, and the magic number is . . . ) Two of these flaws have been disclosed in the public arena, according to Microsoft, although it says it hasn't seen any exploit code utilizing the flaws to launch attacks or circulate malware.
Security Bulletin MS06-061 addresses two critical vulnerabilities affecting Microsoft's XML Parser 2.6 and XML Core Services 3.0 , which are circulated with all current operating systems, as well as Office Service Pack (SP) 1 and SP2. Microsoft says this flaw, which could be exploited with a specially crafted Web page, was privately disclosed.
The last of the critical vulnerabilities, Security Bulletin MS06-062, fixes four (there's that number again!) flaws in Office that could allow an attacker to take complete control of a system. Only one of these flaws--the Office Smart Tag Parsing Vulnerability--had been publicly disclosed before yesterday, Microsoft says, although the company says it's not aware of any attacks exploiting this flaw.
Microsoft issued one patch, Security Bulletin MS06-063, that fixes two flaws it rates as "important." These flaws fix a flaw in the Windows server service that could be exploited to launch a denial of service attack, according to Microsoft.
John Bitle, a senior product manager with Qualys, says this vulnerability was an unexpected addition to Microsoft's batch of patches. "63 kind of caught us off-guard," he says. It was surprising to see "another vulnerability in the server service so quickly," a reference to Security Bulletin MS06-040, issued in August, which later was used to launch worm attacks, and Security Bulletin MS06-035, which was released in July. This flaw should probably be kept an eye on.
Besides the network outage that caused the hiccup in Automatic Update, it wasn't a particularly noteworthy Patch Tuesday, Bitle says. "It was almost a catch up, with the number of zero days addressed in this release," he says.
A monthly pattern has emerged between Microsoft and malware writers. Not only will malware writers begin to take advantage of all the new vulnerabilities that Microsoft discloses to the world on the second Tuesday of every month, malware writers that are keeping their own discoveries of flaws in Microsoft products secret are timing the release of their creations to Patch Tuesday.
"It's interesting," Bitle says. "People are timing the release in just such a way that it comes right after Microsoft patches. If you look over the summer there have been a number of instances that's occurred, where they've released exploit code for a vulnerability that wasn't addressed after Microsoft releases patches for he month, and that has kept Microsoft scrambling."
Other less-important, but still noteworthy, patches issued yesterday include:
- Security Bulletin MS06-056, which addresses a "moderate" cross-site scripting vulnerability in .NET Framework 2.0 that carries the risk of information disclosure.
- Security Bulletin MS06-065, which fixes a privately disclosed vulnerability in the Windows Object Packager that could allow remote execution. Microsoft gave it a "moderate" rating.
- Security Bulletin MS06-064, which fixes three publicly disclosed vulnerabilities in Windows TCP/IP v6 services that could allow an attacker to launch a denial of service attack. Although these problems have been publicly disclosed, they carry a low risk of exploitation, as they have not been actively used on the Internet.
Microsoft did not respond to an e-mail requesting information concerning the Automatic Update outage.
Microsoft will be hosting a Webcast today at 11 a.m. PT to discuss the patches. Interested parties can register at Microsoft's TechNet Security Center at www.microsoft.com/technet/security/default.mspx.