Microsoft issues flood of critical patches

Microsoft on Tuesday released a flood of information on new and previously disclosed holes in a wide range of software products, many of them rated "critical" and well-suited to use by malicious hackers or computer virus writers, according to one security expert.

The company published four security bulletins, MS04-011, 012, 013 and 014 containing patches for 20 unique software vulnerabilities. Critical holes were found in the Internet Explorer Web browser, a standard Windows component for managing local system security and authentication, the Microsoft Secure Sockets Layer library (SSL) and Remote Procedure Call (RPC) Runtime Library, which is installed with Windows, Microsoft said.

The software patches touched a wide range of Microsoft's products, from Windows 98 through Windows Server 2003 64-bit edition, as well as a number of versions of the Outlook Express e-mail program.

Among the most critical holes Microsoft warned customers about are:

-- A buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), which is used to authenticate users locally and also in client-server environments. LSASS also has features used by Active Directory utilities. An attacker who could exploit the LSASS vulnerability could remotely attack and take total control of Windows 2000 and Windows XP systems. The same vulnerability does not affect Windows 98 or NT, and is rated "low" for Windows Server 2003, meaning that it is extremely difficult to exploit or will have only minimal impact on the system if exploited, according to Microsoft.

-- A buffer overrun in the Private Communications Transport (PCT) protocol, which is part of Microsoft's Secure Sockets Layer (SSL) library, which is used to secure communications between servers and clients on public networks and the Internet. PCT is a protocol in that library that was developed by Microsoft and Visa International Inc. to conduct encrypted communication on the Internet, Microsoft said.

An attacker who could exploit the PCT hole could take complete control of affected systems, installing programs, viewing, modifying or deleting data or changing user access to the system. Attackers could exploit the flaw by sending a TCP (Transmission Control Protocol) message to a vulnerable system using SSL. The message would have to be designed to cause the buffer overrun and run the attacker's code on the machine, the company said.

The PCT hole was rated "critical" for Windows NT 4.0 and Windows 2000, "important" for Windows XP and "low" for Windows Server 2003, Microsoft said.

While Microsoft disclosed a number of other critical security holes in its bulletins, the LSASS and PCT holes are particularly dangerous because they can be triggered remotely and without any action being taken by users on affected systems, said Firas Raouf, chief operating officer of eEye Digital Security Inc. in Aliso Viejo, California.

EEye researchers discovered the LSASS vulnerability and reported it to Microsoft, Raouf said.

The two holes can also be exploited using common techniques such as creating stack-based overflows. That will accelerate the development of exploits for the two vulnerabilities, which are well-suited to use in an Internet worm like the Blaster or SQL Slammer worms, he said.

"The window of opportunity to remediate these is small. It's likely that someone will repackage existing worms to attack the new vulnerabilities, so (Microsoft customers) need to patch their systems in the next couple days," he said.

Microsoft also issued a revised cumulative patch, MS04-013, for recent versions of the Outlook Express e-mail client, which ships with most versions of the Windows operating system.

The bulletin also listed a critical new problem with the way Outlook Express interprets a kind of URL (Uniform Resource Locator) known as a MIME Encapsulation of Aggregate HTML, or MHTML URL. The vulnerability could allow an attacker to run their own HTML code on Windows systems using an affected Outlook Express client.

MHTML allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer Web browser. To trigger the flaw, attackers would have to create a specially crafted MHTML URL, which use the prefix MHTML://. Attackers could launch an attack by tricking users into visiting a Web page containing the nefarious MHTML:// link or sending an HTML e-mail message with such a link in it, Microsoft said.

Security companies including Network Associates Inc. (NAI), Computer Associates International Inc., eEye, and Internet Security Systems Inc. issued statements on Tuesday warning customers about the newly disclosed vulnerabilities. Some, such as NAI, offered filters to detect and guard against malicious traffic trying to exploit the new holes.

CA is already seeing exploitation of the MHTML hole and said exploits for the other software vulnerabilities could follow.

"Since many of these issues are previously undisclosed, it may take a few days or weeks for attackers to develop exploit code and other forms of malware," said Sam Curry, vice president of eTrust Security Solutions, a division of CA, in an e-mail statement.

While eEye's Raouf said that the monthly, cumulative bulletins generally made it easier for customers to deploy the security patches, he was critical of the company's handling of vulnerability information, including the LSASS hole, which eEye reported to Microsoft in October, 2003.

"The downside (of the monthly bulletins) is that Microsoft is keeping critical vulnerabilities under wraps until enough can be put together, and that increases the likelihood that an unethical research firm will find the same flaw, not tell Microsoft about it and unleash hell," he said.

Even when proper disclosure procedures are followed, the sheer number of new critical vulnerabilities disclosed on Tuesday will be a feast for virus writers.

"If somebody is looking to put together a worm in the next couple of days, they'll have a number of vulnerabilities to choose from," Raouf said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?