Microsoft Finds Problem in Patch, as Fresh Windows Flaws Uncovered

by Alex Woodie

Microsoft knew there'd be weeks like this. Soon after posting a collection of nine security patches on its Web site last Tuesday, the software giant became aware that one of the patches is having a deleterious affect on some users' computers. Also, one of the security software firms that has been particularly successful in finding flaws in Microsoft products, eEye Digital Security, has alerted the world to new vulnerabilities in Windows Media Player and Internet Explorer that affect current versions of Windows.

Following a month without security patches due to a software quality problem in its patch-writing department, Microsoft unleashed a torrent of fixes for various security holes in its products last week (see "Patch Tuesday Yields Nine Patches, Three That Are Critical"). As it turns out, there is a quality issue with one of the new patches introduced last week, although it's unknown if it's related to the same problem patch that led Microsoft to cancel September's Patch Tuesday.

Microsoft says there is a problem with Security Bulletin MS05-051, a patch that actually fixes four security vulnerabilities that could let attackers take complete control and launch denial of service attacks against affected systems, including Windows Server 2003, Windows XP, and Windows 2000. The part of MS05-051 causing problems is the fix leveled on a buffer overflow vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC).

According to a Microsoft, users may experience several problems after applying the MS05-051 patch, including the failures of the Windows Installer, Windows Firewall, and COM+ EventSystem services to start; the failure of all COM+ applications to load; the return of "HTTP 500 - Internal Server Error" on Microsoft's Internet Information Server (IIS) using Active Server Pages; and the failure of authenticated users to log on. Basically, Windows doesn't work, and "a blank screen appears" after the users applies the October patches, according to the vendor.

The problem has to do with COM+ permissions, and can be fixed with a few tweaks. A Knowledge Base article published Saturday tells users how to restore the default permissions to the COM+ catalog.

Meanwhile, eEye Digital Security--the organization that found the MSDTC flaw in July-- posted an "upcoming advisory" on its Web site Monday that describes a security vulnerability in Windows Media Player and Internet Explorer.

eEye gave the new vulnerability a critical rating because it could allow a hacker to remotely execute code on an affected system, although the company's chief researcher has reportedly said the vulnerability is not "wormable." This newly reported vulnerability affects Windows NT, Windows 2000, Windows XP with Service Pack 1 (SP1) and SP2, and Windows Server 2003 and Windows Server SP1. A link to the advisory can be found here.

No additional technical details of the new vulnerability were provided. eEye Digital Security says it practices "responsible disclosure," which involves sharing technical details of vulnerabilities with software vendors, and sharing vulnerability details with the public only after a fix has been issued. eEye expects vendors to provide remediation for flaws in a timely fashion, and if a vendor has not issued a patch for a vulnerability within 60 days of it becoming public, eEye marks them as "overdue" on its Web site. There are currently five security vulnerabilities in Microsoft products that eEye considers overdue, as well as some in RealNetworks and Macromedia products, according to eEye's list of current and overdue security advisories.

Orange County, California-based eEye Digital Security employs a research team that's dedicated to ferreting out security vulnerabilities in software flaws. It also writes intrusion prevention systems to protect customers from exploits designed around these flaws.

The company and its research team was responsible for finding four of the security flaws (three of them critical flaws) that were fixed in last weeks' batch of patches from Microsoft. This fact gives credence to the company's claim, posted on its Web site, that it has "discovered more critical security vulnerabilities than any other organization over the last several years," including the vulnerabilities that were exploited by the Code Red, Sasser, and SQL Sapphire worms.