Microsoft Releases 3 Critical Patches
On Tuesday, Redmond rolled out four patches for the month of May as expected, with three deemed "Critical" and one "Moderate."
Security pros say that though this is a relatively light release, the critical bulletins stretch across current and relevant application platforms as well as operating systems, and IT shops shouldn't take the implementation of these patches lightly.
First on the critical list is a Microsoft Word patch, an update resolving what the software giant said were "two newly discovered and privately reported vulnerabilities" in the popular application that could allow hackers to deploy remote code execution (RCE) exploits through a maliciously crafted Word file. If successful, when a user clicks on the file, a hacker would be able to install, view, edit, change or delete capabilities when it comes to data. The intruder could also create new accounts and adjust user profiles for elevated privileges on the workstation and, by extension, the network.
The patch affects Outlook 2007 and Word versions 2003, 2002, and 2000. Additionally, Word Viewer 2003 and Word Viewer 2003 SP3, as well as the Office Compatibility Pack for Excel, Word, and PowerPoint 2007 file formats are affected with a proviso of "important."
One thing IT pros should note is that the update parameters are structured for where the remedies reside, mainly at the application level, affecting Office 2003 SP3, Office XP SP3, Office 2000 SP3, and the 2007 Office System Software and its first update in Office System SP1.
The second critical item would thwart RCE attacks via the Microsoft Publisher program. Redmond stated in the release notes that the fix is configured to resolve one "newly discovered and privately reported vulnerability" in the program that could be exploited when users open a corrupt Publisher file. The versions affected are Publisher 2003 SP2 and SP3, 2002, 2000 SP3, and all versions of Publisher 2007.
Meanwhile, the third patch, involving the Jet Database Engine -- in many processing environments, the foundation for Windows products and applications on the OS -- is probably the most vital of the critical patches. Security administrators, systems administrators, and even database and network administrators would all do well to pay attention to this bulletin as well as monitor the results after installation.
"With this flaw, there is a possible way to create a buffer overflow in the Jet engine," explained Jason Miller, security data team manager for St. Paul, Minn.-based Shavlik Technologies. "By exploiting this vulnerability, an evil attacker could take over complete control over a machine. This can be accomplished by sending an evil file that contains a Word document with a specially crafted access database file embedded in the document."
According to both Miller and the Microsoft Security Response team, a user would have to open the file for a hacker to take advantage of the flaw; a user who views HTML e-mails in the preview pane can also be affected by the Jet engine vulnerability (in the latter case, the user does not have to open the document). Finally, a hacker can create a Web site and embed a Word or .PDF file into it as bait for an unsuspecting user.
What's especially intriguing about this fix, one observer suggested, is that Microsoft didn't originally plan to roll out a fix for it. "Microsoft's initial response to this vulnerability was that they wouldn't patch," said Tyler Reguly, security researcher for San Francisco-based nCircle, "so the original researcher released the vulnerability (noting that Microsoft said they wouldn't release a fix). Now they have released a fix but refused to acknowledge the original researcher. This response flies in the face of their constant messaging about responsible disclosure."
Researcher credit and controversy aside, Redmond's fix is directed at Jet 4.0 Database Engine programs built on top of the following operating systems: XP SP2, XP Professional x64 Edition, and Windows 2000 SP4. The fix also touches Windows Server 2003 x64 Edition, Windows Server 2003 with SP1 for Itanium-based systems, and Windows Server 2003 SP1.
The lone moderate patch, while not critical, deals with a potential denial of service hack that can lock administrators and users out of Windows Live OneCare, Microsoft Antigen, the Windows Defender security program, Forefront, and the Standalone System Sweeper.
Microsoft said the bulletin covers all the components of the Microsoft Malware Protection Engine through which a hacker could take advantage of the vulnerabilities by building a specially crafted "spinning" file triggered by user acceptance and, more important, scanning by the Microsoft security programs themselves.
"One interesting thing to note about this month's bulletins is that some of Microsoft's own key security software -- including Windows Defender, Forefront Security, and Antigen -- have been identified as requiring an important security update," said Don Leatham, director of solutions and strategy at Lumension Securities in Scottsdale, Ariz. "Whenever security tools themselves are affected -- even if they have been given 'moderate' status -- we would encourage administrators to treat them with increased importance. Any company that relies on these programs as part of their overall security posture should pay close attention to this update."
According to Redmond, two of the four patches will require a restart of the system after installation.
In keeping with a new design and presentation scheme started in April, Microsoft is referring IT pros and Windows Enterprise professionals to this Knowledge Base article for a description of non-security and high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services.
Featured among the programs and applications being updated are Windows Malicious Software Removal Tool, non-security updates for Windows Server 2008 and Vista, as well as updated info on Windows Server 2008 Dynamic Installer and Vista Dynamic Installer, and an upgrade of Windows Mail Junk-Email Filter.
-- Jabulani Leffall