Microsoft Can’t Count: New Vulnerability Disclosure Criticism

Microsoft details five critical vulnerabilities, including flaw that could be automatically exploited by a malicious Web page or e-mail

IT managers, start your patching engines: Microsoft released patches for five critical vulnerabilities. Three vulnerabilities involve Internet Explorer (IE), including a dangerous JPEG-handling flaw.

Of the announced vulnerabilities, “the potential for graphical-image-based exploits is especially concerning as it affects multiple applications and requires no user interaction,” notes Oliver Friedrichs, a senior manager for Symantec Security Response.

All of the flaws give attackers multiple angles for exploiting PCs. “These vulnerabilities can be leveraged by malicious Web sites to install spyware, Trojan horses, bots, or other programs on an unsuspecting user’s machine,” says Friedrichs. “Symantec Security Response recommends that users apply the updates as quickly as possible, and be aware of phishing schemes that attempt to lure users to malicious sites.”

Counting Vulnerabilities

In the wake of these vulnerability announcements, Microsoft is coming under renewed fire for its vulnerability-disclosure methods. Of course, such criticism is not new. Ever since the company began grouping security vulnerabilities into bulletins and releasing them only on the second Tuesday of the month—so-called “Super Tuesday”—several critics have accused the software company of trying to obscure the overall number of vulnerabilities in its products.

Now, however, some are going further and alleging how Microsoft packages vulnerability information is also disingenuous. As Alan Paller, the director of research for the SANS Institute, wrote in a recent SANS newsletter, “Microsoft’s disclosure method may mislead some readers into thinking the number of vulnerabilities in its software is smaller than the real number.”

How? Take Microsoft’s July 2005 release of three “critical” security bulletins, with critical defined as “a vulnerability whose exploitation could allow the propagation of an Internet worm without user action.” Yet the month’s bulletins actually detail five critical vulnerabilities. Hence, when Microsoft “combines five vulnerabilities in three bulletins, and then talks about the announcement as covering three critical vulnerabilities instead of the real number, the press headlines present the wrong number, and the public is misled,” says Paller.

Vulnerability Details

How bad are the five vulnerabilities? According to vulnerability information provider Secunia, the three vulnerabilities in Internet Explorer could be “exploited by malicious people to conduct cross-site scripting attacks or compromise a user’s system.”

Of the three Internet Explorer vulnerabilities, the first stems from the way JPEG images are handled, and was publicly revealed last month. Here’s how it works: if a user is tricked into viewing a malicious Web site or HTML e-mail containing a specially crafted JPEG image, an attacker could trigger “a memory corruption error,” says Secunia, causing a buffer overflow.

“While there are no known attacks,” notes Symantec, researchers have “seen proof-of-concept JPEG images that will crash Internet Explorer when rendered.”

The second critical Internet Explorer vulnerability relates to a validation error during URL interpretation “when browsing from a Web site to a Web folder view using WebDAV.” (WebDAV, or Web-based Distributed Authoring and Versioning, is a widely used HTTP protocol extension which allows Web pages to be both readable and writable.) Because of the vulnerability, some URLs could allow an attacker to “exploit arbitrary script code” on a user’s PC, says Secunia.

The third critical vulnerability in Internet Explorer is “an error in the way COM objects are instantiated as ActiveX controls,” says Secunia. Using a malicious Web site, an attacker could corrupt a PC’s system memory, then run arbitrary code.

Patches are available for Internet Explorer 5.01 on Windows 2000 (Service Pack 4); Internet Explorer 5.5 (SP2) on Windows ME; and Internet Explorer 6 on Windows 98, Windows 98 SE, Windows ME, Windows XP (SP1 or SP2), and Windows Server 2003.

Beyond Internet Explorer

The fourth critical vulnerability of the month involves plug-and-play (PnP) functionality. Exploiting it could allow for “remote code execution and local elevation of privilege,” says Microsoft. One mitigating factor is an attacker “must have valid logon credentials and be able to log on locally to exploit this vulnerability,” says Microsoft. “The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.”

Microsoft Windows 2000 Service Pack 4, Server 2003, and XP operating systems are affected. (Note earlier versions of Windows 2000, however, may also be infected; it’s not clear. As Microsoft notes in its security bulletin, “other versions either no longer include security update support or may not be affected.”)

The fifth critical vulnerability involves the print spooler. By exploiting the flaw, an attacker could execute arbitrary code on a user’s PC. One mitigating factor, says Microsoft, is that “on Windows XP Service Pack 2 and Windows Server 2003, this vulnerability is restricted to authenticated users,” and that if an attack was successful, it might cause a denial of service, yet not allow remote code execution or elevation of privilege. Beyond those two operating systems, Microsoft Windows 2000 Service Pack 4 and Microsoft Windows XP Service Pack 1 are also affected.

Finally, Microsoft also detailed an “important” vulnerability in the Windows telephony service, which could allow remote-code execution. There are also two “moderate” vulnerabilities. One involves the Remote Desktop Protocol and could facilitate a denial of service attack, while the other is a flaw in Kerberos which could allow a denial of service, information disclosure, and spoofing.

Related Articles:

Microsoft and Apple Patch Operating Systems

Q&A: Is Microsoft’s Security Trustworthy?

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.