IT administrators have a brutal month of patching ahead of them,
following Microsoft's release of 12 security bulletins covering a
range of problems in Windows, Office and Internet Explorer.
In all, nine of the bulletins have been deemed critical and a
total of 23 security holes have been fixed in this month's release,
including previously exploited Windows and PowerPoint flaws.
"With 23 flaws, this is easily one of Microsoft's largest patch
releases, and this batch covers a broad range of applications,"
said Jonathan Bitle, manager of the technical accounts
team at Qualys. "Because we are seeing so many client-side flaws
each month, we cannot highlight enough the need for user education
- not just a need for patching, but for education among all
employees on what kinds of websites and files are acceptable or
not."
Microsoft described the critical flaws as those an attacker
could exploit to take complete control of an affected system. "An
attacker could then install programs, view, change or delete data,
or create new accounts with full user rights," the supplier said in
its advisories.
The biggest threat
Security experts agree the bulletin to take most seriously is
MS06-040, which addresses a remotely
exploitable buffer overrun flaw in the Windows Server
Service.
On the patch management forum hosted by Shavlik Technologies,
Marc Maiffret, chief hacking officer of eEye Digital Security, said
IT professionals should focus on getting this patch deployed first.
"This vulnerability was being actively exploited in the wild," he
said. "However no previous details had been released on it
publicly."
In a message on its
Web site, the United States Computer
Emergency Readiness Team (US-CERT) also warned that one of this
month's patches would address a flaw that has already been
exploited. The specific flaw or security bulletin was not
immediately named, although US-CERT said it would post more
details sometime after the bulletins were released.
Amol Sarwate, director of Qualys' vulnerability research lab,
said the flaw addressed in MS06-040 is the only one in this month's
batch that an attacker could exploit without user interaction.
"This is the most critical and users should take it the most
seriously," he said. "But all the other critical bulletins cannot
be taken lightly because they are spread all over the operating
system."
A monster Internet Explorer fix
One of the best examples is
MS06-042, the latest cumulative update for
Internet Explorer that fixes eight different security holes,
Sarwate said. According to Microsoft, the bulletin
addresses:
- Two flaws in how Internet Explorer handles
redirects.
- Two flaws in how Internet Explorer interprets HTML with certain
layout positioning combinations.
- A flaw in how Internet Explorer handles chained Cascading Style
Sheets (CSS).
- A flaw in how Internet Explorer instantiates COM objects that
are not intended to be instantiated in the browser.
- Script being used to access the location of a Window in another
domain or Internet Explorer zone.
- A flaw in how Internet Explorer handles specially crafted FTP
links that contain line feeds.
Metasploit Framework creator H.D. Moore released at least one
new browser flaw a day last month as part of his self-titled
"Month of Browser Bugs" project, and Sarwate
believes that is why the August Internet Explorer update is so
large. Plus, from what he can tell, this update does not even
address all the known IE flaws.
"It will probably take Microsoft two Patch Tuesdays to fix
everything," he said.
Other critical fixes
The remaining critical fixes for August are:
MS06-043, which addresses a remote code
execution vulnerability in Windows that results from incorrect
parsing of the HTML protocol.
MS06-044, which addresses a remote code
execution flaw in the Windows Management Console.
MS06-046, which addresses a flaw in the HTML
Help ActiveX control. "An attacker could exploit the
vulnerability by constructing a malicious webpage that could
potentially allow remote code execution if a user visited that
page," Microsoft said.
MS06-047, which addresses a flaw in how
Visual Basic for Applications checks the document properties
that a host application passes to it when opening a document.
Microsoft Office applications are affected by this
vulnerability, Microsoft said.
MS06-048, which addresses
two Microsoft PowerPoint flaws that had
already been disclosed in the past month. One flaw can be
exploited when a file containing a malformed shape container is
parsed by PowerPoint. The other flaw could be exploited when
PowerPoint parses a file containing a malformed record.
MS06-051, which addresses two flaws: a
privilege elevation vulnerability in how Windows 2000 starts
applications, and a flaw in how exception handling is managed on
multiple applications that are resident in memory.
Three 'important' fixes
Microsoft rated three security updates as "important" this
month:
MS06-045, which addresses a flaw in how
Windows Explorer handles drag-and-drop events.
MS06-049, which addresses a
privilege-elevation flaw in Windows 2000 caused by improper
validation of system inputs.
MS06-050, which addresses two flaws: an
unchecked buffer in the code that is used for handling
hyperlinks, and a malformed function that appears when
hyperlinks are handled. An attacker could exploit the flaws by
constructing a malicious hyperlink that could potentially lead
to remote code execution if a user clicks a malicious link
within a Microsoft Office file or e-mail message. While this
bulletin technically addresses a flaw within Windows, it is the
cause of a
zero-day flaw in Microsoft Excel that
attackers could exploit to launch malicious code.