Microsoft patches URI bug, ancient DNS flaw

No sign of DRM fix as company plugs protocol handler vulnerability it finally acknowledged

Microsoft Tuesday released two security bulletins that fixed a pair of flaws in Windows, including a vulnerability that had been the root of a monthslong debate over patching responsibility.

One of the updates was rated critical, Microsoft's highest threat ranking, while the other was pegged as important, the next-lowest notch in the company's four-step scoring system.

MS07-061 patched the Uniform Resource Identifier (URI) protocol handler bug in Windows XP and Windows Server 2003 that Microsoft admitted was its job to fix only after months of denying that a vulnerability existed in its software. In a security advisory posted October 11, Microsoft owned up to the flaw.

The vulnerability has been exploited in the wild for weeks, most recently by a wave of attacks using rigged PDF files.

Although only PCs running XP or Server 2003 that were also equipped with IE 7 have been shown to be at risk, Microsoft pushed the patch to all users of those operating systems, no matter which browser they had installed. "Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6," the security bulletin said, "[but] as a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed."

Andrew Storms, director of security operations at nCircle, applauded the proactive move. "Microsoft's saying that even though it's unable to exploit [the URI protocol handler bug] for IE 6, the bug still exists, and someone else may come along and figure out an exploit," he said.

According to Eric Schultze, the chief technology officer of Shavlik Technologies, Microsoft is simply following protocol. "They're giving the patch regardless of the SKU of XP or Server 2003, because they can't deliver it as an IE patch," he said. The flawed component, the "shell32.dll" file, is part of Windows, not Internet Explorer.

But although the fix should put an end to URI protocol handler exploits which rely on IE -- or, as Storms put it, "at least until the next attacks" -- other applications that register buggy handlers will still have to patch their own code. Microsoft's security experts, including Mark Miller, the director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the operations manager for the group, made that clear in an interview a month ago.

The other bulletin issued today, dubbed MS07-062, patches a DNS cache poisoning vulnerability in Windows 2000 SP4, and Windows Server 2003 SP1 and SP2.

"This is a classic, a nostalgic man-in-the-middle kind of vulnerability," said Storms, who also knocked Microsoft for taking so long to fix the flaw. "This is something that other DNS [Domain Name System] vendors, like BIND, have known about and fixed years ago." Storms, in fact, was quickly able to dig up reports of the DNS vulnerability from as far back as 2002.

"It's not an easy thing to take advantage of, but I'm willing to bet that there's still some script-kiddie code out there that can be modified for this vulnerability," Storms said. An attacker would probably partner an exploit with a phishing e-mail that would entice the recipient to a trusted Web site, say eBay. The exploit, however, would redirect the user to a fake site to plunder personal or financial information.

"This sort of vulnerability has impacted other DNS servers in the past and has been well understood by attackers for a long time," said Chris Valasek, a researcher with IBM's X-Force, in an e-mail. "Now that Microsoft DNS Server's susceptibility has been disclosed we may see renewed attacks of this sort."

The only surprise in this month's patches, said Schultze, was the omission of a fix for a bug in third-party anti-piracy software that's bundled with Windows. The vulnerability in Macrovision's SafeDisc digital rights management software was confirmed last week.

"I'm guessing that Microsoft wasn't able to wrap the updated [Macrovision] driver in its own installers in time," Schultze said. "Maybe we'll see it as an out-of-band release."

The two bulletins' patches are available via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?