Microsoft has released 10 software security patches for
its products, including seven it deemed critical and that could
allow remote attackers to take control of systems running the
company's software.
The software maker advised customers to download and install
critical patches for a wide range of products as soon as possible,
including its Windows operating system, Exchange e-mail server and
Microsoft Office productivity software.
The company published the software updates MS04-029 through to
MS04-038, on its
website.
The security alerts detail holes in a number of critical
components, including Windows components for handling SMTP (Simple
Mail Transfer Protocol), which is used for sending and receiving
e-mail, and NNTP (Network News Transfer Protocol) traffic, as well
as a Windows feature for processing compressed Zip files.
The slew of vulnerabilities - more than 21 spread across the 10
security bulletins - are sure to cause headaches for network
managers, who will be rushing to distribute the patches before
software code to exploit the vulnerabilities is released on the
internet.
Among the most critical for enterprises are MS04-035, which
patches the SMTP hole, and MS04-036, which plugs the hole in
Windows handling of NNTP, a protocol used to manage traffic to and
from Internet news groups, said Brian Mann, outbreak manager for
McAfee's Antivirus Emergency Response Team.
Both the vulnerabilities described in 035 and 036 affect servers
running at the enterprise gateway and will need to be patched as
soon as possible, especially with the threat of remote exploit and
code execution, Mann said.
The disclosed vulnerability in Windows handling of Zip folders
is also dangerous, because it affects machines running Windows
Server and Windows XP, he said.
For that vulnerability, a buffer overflow can be created on
Windows by Zip files specially crafted to trigger the
vulnerability. Windows users would have to download and open the
files from a website or double click on a malicious Zip file in an
e-mail to trigger the buffer overflow, Microsoft said.
However, Zips are a common form of e-mail attachment, and virus
writers are already fond of using the compressed files to deliver
malicious payloads, Mann said.
Administrators should also hurry to apply cumulative software
patches for Windows (MS04-032) and the Internet Explorer web
browser (MS04-038), said Thor Larholm, senior security researcher
at PivX Solutions.
Malicious code which exploits vulnerabilities covered by those
patches, including flaws in a Windows component called Windows
Shell and a vulnerability in the way Explorer handles drag and drop
events, is already circulating on the internet, he said.
While there were no major surprises in the October batch of
patches, the sheer number of vulnerabilities disclosed will keep
administrators busy, especially with the short window of time
between the publication of a software patch the development of
exploit code that takes advantage of it, Larholm said.
PivX estimates that new exploit code for vulnerabilities
typically appears within 10 days of a patch being released or
publicised, Larholm said.
Paul Roberts wrtites for IDG News Service