Microsoft issues flood of critical patches

Microsoft has released a flood of information on new and previously disclosed holes in a wide range of software products, many of...

Microsoft has released a flood of information on new and previously disclosed holes in a wide range of software products, many of them rated "critical".

The company published four security bulletins, MS04-011, 012, 013 and 014 containing patches for 20 unique software vulnerabilities.

Critical holes were found in the Internet Explorer web browser, a standard Windows component for managing local system security and authentication, the Microsoft Secure Sockets Layer library (SSL) and Remote Procedure Call (RPC) Runtime Library, which is installed with Windows.

The software patches touched a wide range of Microsoft's products, from Windows 98 through to Windows Server 2003 64-bit edition, as well as a number of versions of the Outlook Express e-mail program.

Among the most critical holes Microsoft warned customers about are: 

  • A buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), which is used to authenticate users locally and also in client-server environments. LSASS also has features used by Active Directory utilities. An attacker who could exploit the LSASS vulnerability could remotely attack and take total control of Windows 2000 and Windows XP systems. The same vulnerability does not affect Windows 98 or NT, and is rated "low" for Windows Server 2003, meaning that it is extremely difficult to exploit or will have only minimal impact on the system if exploited. 
  • A buffer overrun in the Private Communications Transport (PCT) protocol, which is part of Microsoft's Secure Sockets Layer (SSL) library used to secure communications between servers and clients on public networks and the internet. PCT is a protocol in the library which was developed by Microsoft and Visa International to conduct encrypted communication on the internet.

An attacker exploiting the PCT hole could take complete control of affected systems, installing programs, viewing, modifying or deleting data or changing user access to the system.

Attackers could exploit the flaw by sending a TCP (Transmission Control Protocol) message to a vulnerable system using SSL. The message would have to be designed to cause the buffer overrun and run the attacker's code on the machine.

The PCT hole was rated "critical" for Windows NT 4.0 and Windows 2000, "important" for Windows XP and "low" for Windows Server 2003.

While Microsoft disclosed a number of other critical security holes in its bulletins, the LSASS and PCT holes are particularly dangerous because they can be triggered remotely and without any action being taken by users on affected systems, said Firas Raouf, chief operating officer of eEye Digital Security.

The two holes can also be exploited using common techniques such as creating stack-based overflows. That will accelerate the development of exploits for the two vulnerabilities, which are well-suited to use in an internet worm such as the Blaster or SQL Slammer worms.

Microsoft also issued a revised cumulative patch, MS04-013, for recent versions of the Outlook Express e-mail client, which ships with most versions of the Windows operating system.

The bulletin also listed a critical new problem with the way Outlook Express interprets a kind of URL known as a Mime Encapsulation of Aggregate HTML, or MHTML URL.

The vulnerability allows an attacker to run their own HTML code on Windows systems using an affected Outlook Express client.

MHTML allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer web browser.

To trigger the flaw, attackers would have to create a specially crafted MHTML URL, which use the prefix MHTML://.

Attackers could launch an attack by tricking users into visiting a web page containing the nefarious MHTML:// link or sending an HTML e-mail message with such a link in it.

Security companies such as Network Associates, Computer Associates International, eEye and Internet Security Systems have all warned their customers about the disclosed vulnerabilities.

Paul Roberts writes for IDG News Service

Read more on IT risk management