Patch Tuesday Yields Nine Patches, Three That Are Critical

by Alex Woodie

It's been two months since Microsoft has issued a round of patches to fix security vulnerabilities in its products, due to the cancellation of September's patches. That might be one reason why October's Patch Tuesday yielded a bumper crop of fixes, including nine patches for more than 13 newly discovered flaws. This includes three patches for critical security vulnerabilities, four patches for flaws rated "important," and two patches that fix problems rated "moderate."

The first critical patch, Microsoft Security Bulletin MS05-050, fixes a vulnerability in the DirectShow component of Windows that could enable an attacker to take complete control of affected systems, including Windows Server 2003, Windows 2000, Windows XP, and all Windows 98-era operating systems, including Windows 98 SE and ME. DirectShow is a DirectX technology used for the capture and playback of high-quality media streams in Windows. Microsoft says this is a newly found vulnerability that was privately reported by eEye Digital Security, an Aliso Viejo, California, security software developer, and that it hasn't seen any exploits designed around this flaw.

The second critical patch, Microsoft Security Bulletin MS05-051, fixes a slew of problems that could also lead attackers to take complete control or launch denial of service attacks against affected systems, including Windows Server 2003, Windows XP, and Windows 2000. Not all operating systems are affected equally by the vulnerabilities fixed with this patch, which include a buffer overflow problem with Microsoft Distributed Transaction Coordinator (MSDTC), the Component Object Model Plus (COM+) Vulnerability, the Transaction Internet Protocol (TIP) Vulnerability, and the Distributed TIP Vulnerability. For example, the MSDTC and the COM+ vulnerabilities, which can lead to total system control for attackers, are rated "critical" on Windows 2000, but only "important" on Windows Server 2003, and the MSDTC doesn't affect Windows XP Service Pack 2 (SP2) or Windows Server 2003 SP1. Microsoft says these vulnerabilities are newly found, privately reported vulnerabilities, that it hasn't seen any exploits designed around these flaws. They were reported by eEye (MSDTC), Argeniss Information Security (COM+), an Argentinean security software developer, and iDefense (TIP and Distributed TIP), a Reston, Virginia, security firm.

The third critical patch Microsoft Security Bulletin MS05-052, is a cumulative update for Windows Internet Explorer versions 5 and 6 that addresses a new vulnerability in IE that could allow an attacker to gain total control of an affected computer, including those running practically any current Windows operating system (which is currently Windows 2000 SP4 and later). Microsoft says the IE patch fixes the publicly disclosed COM object Instantiation Memory Corruption vulnerability (referred to and described by the Common Vulnerabilities and Exposures as CAN 2005-2127), as well as variations of that same vulnerability privately reported by CERT Coordination Center, French Security Incident Response Team (FrSIRT), MCI, and eEye Digital Security.

Less critical vulnerabilities fixed yesterday include an unchecked buffer in the Client Service for NetWare (CSNW) that could enable an attacker to gain control of Windows 2000 SP4, Windows XP SP1 and SP2, and Windows Server 2003 and Windows Server 2003 SP1. Microsoft Security Bulletin MS05-046 resolves this newly-discovered that was privately reported to Microsoft by CERT. Microsoft says it has seen no exploits in the wild designed for this CSNW vulnerability.

Microsoft is also fixing another problem with its Plug and Play (PnP) facility, which led to the outbreak of the somewhat destructive Zotob worm in mid-August (see "Windows 2000 Worm Wreaks Havoc"). The new patch, Microsoft Security Bulletin MS05-047, fixes a newly discovered PnP flaw (dutifully reported by the folks at eEye) that could let an attacker execute his code of choice on Windows 2000 SP4 and Windows XP SP1 and SP2 (and we're betting its not Asteroids). This new patch is targeted primarily at Windows 2000 and XP SP1 users, and it builds on the previously issued patch for the earlier PnP flaw, Microsoft Security Bulletin MS05-039, which Microsoft issued in August just before Zotob made its rounds.

Microsoft Security Bulletin MS05-048 fixes a flaw in Microsoft's Collaboration Data Objects (CDO) that could allow remote code execution on affected systems, including Windows 2000 SP4, Windows XP SP1 and SP2, Windows XP Pro, Windows Server 2003 and its SP1 and 64-bit variants, and Exchange 2000 Server SP3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004 (whew!). Microsoft says the CDO vulnerability is a new flaw that was privately reported by Sec-1, an English security software firm, and that it is not aware of any wild exploits based on the CDO flaw.

Which brings us to Microsoft Security Bulletin MS05-049, which fixes two important problems in the Windows Shell and one problem with Windows Web View that could let attackers take over affected systems, including every version of Windows except the Windows 98-era operating systems. Microsoft says it is not aware of any exploit code based on these flaws, which were privately reported to Microsoft by Argeniss (the two Windows Shell vulns) and Security-Assessment.com, a security software firm based in Australia and New Zealand that reported the Web View Script Injection Vulnerability.

Another reason to upgrade to Windows Server 2003 SP1 and Windows XP SP2 is found in Microsoft Security Bulletin MS05-044, which fixes a newly discovered, public vulnerability in the way the Windows FTP client validates file names. This flaw, which was given a moderate severity rating by Microsoft, only affects Windows XP SP1, Windows Server 2003 (the original release), and, somewhat curiously, the Itanium version of Windows Server 2003. While this vulnerability has been publicly described (it will have a seat on the CVE list as CAN-2005-2126), Microsoft is not aware of any exploit code.

The final patch issued in yesterday's fun-filled Patch Tuesday is Microsoft Security Bulletin MS05-045, which fixes a vulnerability in Network Connection Manager that could lead to a denial of service attack. Systems affected include Windows 2000 SP4, Windows XP SP1 and SP2, and Windows Server 2003 and its SP1 variant. Like the Windows FTP flaw described above, the Network Connection Manager flaw has been publicly described by the CVE as CAN-2005-2307); however, Microsoft is not aware of any exploit code.

Since 2004, Microsoft has regularly issued security patches on the second Tuesday of each month, a day that has come to be known as Patch Tuesday. The company skipped the Patch Tuesday for September after it found a problem with one of the patches. The company also decided not to issue patches in March.