Fixes from Microsoft and Adobe, Havoc from McAfee
Microsoft released six critical updates for PC and Mac, and Adobe patched Flash. Grabbing headlines, however, was the file-eradication spree triggered by an update to McAfee's antivirus program, causing users to question automatic patches.
Vulnerability announcements abound this month. For starters, Microsoft detailed six bugs attackers could exploit to remotely run arbitrary code on PCs. Vulnerability information provider Secunia rated the problems as “highly critical,” its highest severity rating.
One vulnerability involves Office: attackers could craft a fake Office “routing slip” to corrupt memory, and then run code of their choice. Most of the vulnerabilities involve Excel, and attackers could exploit them to corrupt PC memory and execute arbitrary code through specially crafted Excel files or malformed graphics included in Excel files.
To fix the problems, Microsoft issued patches for Microsoft Office 2000, 2002, and XP on Windows, and Office 2004 and X on the Mac. It also patched several standalone versions of Microsoft Excel, Word, Outlook, and PowerPoint, plus Microsoft Works Suite (versions 2001 through 2006).
On the Adobe front, there are security holes in Macromedia Shockwave (SWF) files. (Adobe acquired Macromedia about a year ago.) According to Secunia, the vulnerabilities are highly critical and “can be exploited to execute arbitrary code on a user’s system when a malicious SWF file is loaded.” Adobe didn’t detail the exact cause of the vulnerabilities.
To fix the problem, Adobe released updated versions of the affected Macromedia products: Breeze 4.x, 5.x, and the Breeze Meeting Add-In; Flash versions 8.x, MX 2004, and MX Professional 2004; Flash Player 7.x and 8.x; Flex 1.x; and Shockwave Player 10.x.
Enterprise Auto-Updaters Beware
With the recent slew of security fixes, here’s a timely question: Does your company test all operating system and application software updates, not to mention patches, before allowing them to install on end users’ PCs, or does your company allow such things as antivirus and anti-spyware software, plus Windows, to update themselves automatically?
The urge to use vendors’ automatic updates is strong, since it offers the promise of immediately stopping known vulnerabilities attackers might quickly exploit, especially after Microsoft releases its monthly slew of “security bulletins.” IT departments may decide some immediate protection is better than none.
As last week proved, IT may need to be more caution of automated updates in the enterprise, security experts advise. In fact, they recommend updates only get pushed to end users after a thorough vetting—after days or weeks—on a test bed of PCs running users’ typical applications, and especially any custom-built applications.
If that seems like a lot of effort, consider the risks of untested patches: compromised user productivity (both in lost time and lost information), IT staff spending untold hours on clean-up, plus the delicate—if not impossible—task of uninstalling Windows operating system patches. For the latter, the most efficient fix is often to wipe a PC and reinstall everything, thus eradicating any user information not backed up to external media.
The risks from deploying untested software updates were recently highlighted when antivirus software maker McAfee Inc. released a signature update (DAT 4715) for five of its antivirus products that inappropriately flagged many executable files as being the W95/CTX virus. As a result, numerous files were quarantined or deleted (depending on antivirus program settings).
While DAT 4715 was only available from McAfee for five hours (before it released DAT 4716 to correct the problem), any users with their antivirus software set to update automatically, or who manually updated, may have received the update. Targeted files included userid.exe and imjpinst.exe (both Windows XP files), ecenter.exe (a Dell file), ntfstype.exe (a Windows utility), adobeupdatemanager.exe (Adobe’s Update Manager), gtb2k1033.exe (the Google Toolbar installer), 43gcjvgahnu44.ths (Macromedia Flash Player version 7), plus excel.exe (the Microsoft Excel application), and graph.exe (part of Excel).
While there’s no definitive information on the resulting damage or affected file types, one system administrator reported to the SANS Institute that out of 3,700 files he saw quarantined by McAfee, at least 297 were unique file types.
Restoring quarantined files was a feasible, if lengthy, undertaking, and McAfee issued a tool to help users of its enterprise antivirus product automate the process. Deleted files, however, needed to be restored from backups, assuming such backups existed.
Given this episode—almost 300 file types inappropriately quarantined or deleted, times some number of files, times some number of affected users—deploying untested updates and patches may be a risk many organizations will henceforth want to avoid.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.