In-Depth

Microsoft and Apple Patch Operating Systems

Microsoft patches two buffer overflow vulnerabilities, Apple patches OS X 10.4

• By Mathew Schwartz
• 07/19/2005

Microsoft announced five new vulnerabilities in its products this month, and Symantec rates two as being extremely serious. In addition, Apple patched its recently released 10.4 operating system.

The first Microsoft announcement concerns a remote-code-execution vulnerability in the Microsoft Color Management Module (CMM), which could lead to a buffer overflow. Successful exploitation would allow an attacker to execute code of their choosing.

The vulnerability affects Windows 98, Windows Me, Windows 2000, Windows Server 2003, and Windows XP, and Microsoft says it’s already being actively exploited. Security information provider Secunia rates the flaw as “extremely critical,” and recommends immediate remediation.

“If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” notes Microsoft.

A user, however, might first need to visit “a malicious Web site or view a malicious e-mail message containing a specially crafted image file,” notes Secunia. Receipt of an attack e-mail could trigger the buffer overflow. “It may be possible to exploit Outlook users by just previewing the e-mail,” says Symantec. “Other applications that use CMM could be vulnerable as well, including Internet Explorer and MSN Messenger.”

In particular, CMM is vulnerable “because of the way that it handles ICC profile format tag validation,” notes Microsoft. An ICC file is a cross-platform color profile. The standard was created by the International Color Consortium. CMM processes image files for a variety of file formats in Windows, including PDF, TIFF, and JPEG files.

After exploiting the vulnerability, “an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” notes Microsoft. It recommends applying the patch immediately.

The second major Microsoft vulnerability is a font parsing buffer overflow in Microsoft Word. Word 2000 and 2002, Microsoft Office 2000 Service Pack 3, Microsoft Office XP Software Service Pack 3, and Microsoft Works Suite 2000, 2001, 2002, 2003, and 2004 are affected.

According to Microsoft, “an attacker who successfully exploited this vulnerability to take complete control of the affected system.” Note, however, it cannot be exploited directly through e-mail; the user must open an attachment first.

Microsoft also released a patch for a known vulnerability in Javaprxy.dll, an interface for a debugger in Microsoft’s Java Virtual Machine. “An attacker could exploit this vulnerability through malicious Web pages and run code on the local system resulting in complete control of the affected computer,” notes Symantec.

Exploit code for the Javaprxy.dll vulnerability is already available. Secunia says Internet Explorer 6.0 running on Windows XP SP2 is affected, and that Internet Explorer 5.01 and 5.5 may also be at risk. It rates the vulnerability as “extremely critical.”

Until users patch the above vulnerabilities, there are some temporary workarounds. “While these are high-risk vulnerabilities, there are many steps users can take to protect themselves,” notes Oliver Friedrichs, a senior manager at Symantec Security Response. “Users should never open files or click on links from unknown sources. Computer users should keep software running with the least privileges possible, and deploy network intrusion detection systems to monitor network traffic for signs of suspicious activity.”

Apple Patches TCP/IP, Dashboard

In other operating system news, Apple released a patch for its operating system (OS X), version 10.4, as well as for 10.4 Server. The patch fixes two vulnerabilities, rated moderately critical by Secunia, which could cause a denial of service, or replace widgets on a user’s computer.

The first vulnerability involves a TCP/IP implementation error that could allow an attacker to exploit a null pointer—a direction to the operating system about where there’s free space in memory—to crash the kernel.

The second vulnerability relates to the Dashboard feature in OS X 10.4. An attacker could trick the Dashboard into accepting widgets with the identical internal identifier to Apple-supplied widgets, and thus replace the widget, potentially with malicious code.