In-Depth
Busy October Patch Cycle Brings 11 Fixes
Security-minded admins have their work cut out for them
announced that it's releasing 11 patches for the October rollout of its security fixes.
Four of the items are designated as "Critical" and six are deemed "Important," with a "Moderate" patch to round out the slate.
Don Leatham, senior director of solutions and strategy at Lumension Security, sums up Tuesday's release in one word: Busy.
"This is a pretty heavy Patch Tuesday in terms of volume. Given that the four critical bulletins deal with Windows and Excel 2000, Internet Explorer 6, and Microsoft Host Integration Server, organizations should not be lax when rolling out this month's patches. These vulnerabilities are also confirmed as remote code execution so they could, in theory, allow unfettered access to sensitive databases and therefore need to be treated very seriously."
Critical Patches
The first critical patch is an Active Directory fix, affecting only Windows 2000 Service Pack 4; the security update is configured to stop a remote code execution (RCE) attack. According to Microsoft, the vulnerability could allow remote code execution if an attacker gains access to an affected network. Redmond stresses that the potential bug can only be deployed on Microsoft Windows 2000 servers configured to be domain controllers.
"If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability," the software giant said in its security bulletin statement.
An IE patch appears to be a wide-ranging fix affecting IE 5.01, IE 6, and IE 7 sitting on Windows 2000 SP4, XP, Windows Server 2003, and 2008 and Vista. The patch will cover a wide swath of at least six bugs as it resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or RCE if a user views a specially crafted Web page using Internet Explorer.
The third fix in the release group deals with a vulnerability in Microsoft Host Integration Server (HIS), which could enable RCE if a hacker sent a specially crafted Remote Procedure Call request to an affected system. HIS is a gateway program fostering interoperability between Windows networks and legacy operating systems and applications sitting on IBM mainframe and AS/400 systems. The patch covers HIS 2000, HIS 2004 on both the client and server side, and HIS 2006 for 32-bit and 64-bit systems.
This is a rare fix that will require attention and has raised the eyebrows of many observers who examined this month's rollout.
Sheldon Malm, director of security research and development for San Francisco-based nCircle Inc., said that because this type of vulnerability isn't spotted often, it makes patching this hole that much more important.
Malm added that given the current climate on Wall Street, the impact of a compromise in HIS can't be underestimated, as "HIS can be used to connect to mainframe and midrange systems housing databases and CICS processing applications that act as the system of record for critical financial data" including ATMs, bank teller applications, and insurance systems.
"Additionally, the impact of a compromise of this vulnerability cannot be underestimated for retailers," he said. "This can have a significant impact for PCI audits, where the existence of this vulnerability can have implications far beyond the Windows server itself."
The fourth critical fix deals with Excel and covers Office 2000 SP3, XP SP3, Office 2003 SP2 and SP3, and touches on Microsoft Office 2007. Additionally, Office 2004 for Mac, XML file converter for Mac, Excel Viewer, Office 2007 Compatibility Pack, and SharePoint Server are also included by the bulletin.
This security update is said by Redmond to address "three privately reported vulnerabilities in Microsoft Office Excel" that, if left unchecked, could usher in RCE exploits through the use of a maliciously configured Excel file.
Important and Moderate Patches
All six "important" items are Windows OS patches and deal with an eclectic and interesting mix of programs, products, and services. The one overriding theme is that this important batch will exemplify a month of patches that will combat unique client-side or insider threats.
The first fix affects XP and Windows Server 2003 and pertains to a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could have complete dominion over an affected system.
"Important" patch No. 2 is all about the Windows Kernel and will include Windows 2000 SP4 along with XP, Vista, and the Windows Server series 2003 and 2008. The update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel, an important technological nucleus of the OS as far as memory and inter-process communication is concerned. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system.
The third "Important" bulletin deals with all of the same OS programs as the second patch but resolves a previously disclosed vulnerability in Windows Internet Printing Service that could allow remote code execution from a local user logged on to the system with administrative user rights. Unauthorized off-site document queuing or use of proprietary documents is the risk here.
Another fix in the rollout also covers Windows 2000 SP4 along with XP, Vista, and the Windows Server series 2003 and 2008 and plugs a vulnerability in Microsoft Server Message Block, which is designed to function as a network protocol to foster shared access to files as well as change, edit, and delete functions in a shared workflow application or document.
Meanwhile the fifth patch, staving off an elevation of privilege vulnerability affecting the Virtual memory and Virtualization network program Virtual Address Descriptor, only covers XP, Vista, and Windows Server 2003 and 2008.
The final "Important" patch in this group solely affects Windows 2000 SP4 and deals with an RCE bug that can muck up the way server messages, e-mail and data in the form of messaging is ordered and deployed via Microsoft's Message Queuing Service.
Meanwhile, the lone "Moderate" item is highly technical, involves only XP SP3, and deals with a potential information disclosure exploit in Microsoft Office that can be triggered through the use of a specially crafted Connected Data Objects, or "CDO," URL. With CDO, programmers can upgrade and enhance a code-building facility called the Eclipse Modeling Framework for runtime support using Java or XML. This is a back-end vulnerability that an egghead hacker could really have fun with just to be mischievous, experts say.
For IT pros planning a full install, it will take time as all but two of the 11 patches will require restarts. Additionally Windows Enterprise professionals interested in items pertaining to general updates and other non-security content can look at this knowledgebase article for a description of such updates on Microsoft Update, Windows Update and Windows Server Update Services.
So in what other ways can Patch Tuesday for October be summed up?
The current sentiment is that proper preparation can eliminate head scratching on the actual release date of monthly fixes.
In an e-mailed statement, Wes Miller, former Microsoft program manager and current senior technical product manager for endpoint security firm CoreTrace, said he was not "envious of all of the systems administrators" who will have to scramble to decide which update in this myriad of fixes is most important for their enterprise. He suggested that a preventative security program involving monitoring of risks as they relate to a given enterprise is very important to have between patch cycles.
"Reactive security patching is a time-intensive task that is a huge drain on IT resources. With the number of patches on the rise, organizations could benefit greatly from relying on solutions that prevent unauthorized applications from executing in the first place," he said.
-- Jabulani Leffall