Patch Tuesday Highlights Web-Based Malware

The number of updates Microsoft issued on August's Patch Tuesday dwarfs the number of patches released over the past several months and highlights the new frontier of Web-based attacks and next-generation media vulnerabilities, according to Amol Sarwate, manager of the vulnerability research lab at Qualys.

Get ready to roll up your sleeves. If you are in the I.T. department, you are going to be busy for a while. On Patch Tuesday yesterday, Microsoft Relevant Products/Services issued its second-largest set of updates this year with nine security Relevant Products/Services bulletins altogether.

The updates fix 14 vulnerabilities. Eight bugs are rated critical, four are rated important, and two are considered moderate. The patches fix holes in Windows, Windows Gadgets, Windows Media Player, Office, Excel, Internet Explorer, Visual Basic, Virtual Server, and Virtual PC.

"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," said Dave Marcus, security research and communications manager at McAfee Avert Labs. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

Patch These First

With six critical flaws, I.T. admins are charged with targeting the most potentially dangerous of the bunch first. According to Sheldon Malm, a vulnerability researcher for nCircle, one of the most critical vulnerabilities is covered in security bulletin MS07-042, which describes the update for an XML services vulnerability. "XML is so pervasive -- it ships with so many different products and sits in so many different places on an enterprise network," he said.

Malm said he was most concerned about bulletin MS07-048, which describes three vulnerabilities in Vista gadgets. The RSS feed gadget vulnerability could allow a hacker that has gained control of a blog to create a malicious post and distribute it to everyone who subscribes to the RSS feed.

"RSS feeds have the potential to become the next big vector for worms or bots because it exploits an existing trust relationship. People place implicit trust in the security of the information source when they use RSS feeds," Malm said.

The New Frontier

This month's Patch Tuesday dwarfs the number of updates released over the past several months and highlights the new frontier of Web-based attacks and next-generation media vulnerabilities, according to Amol Sarwate, manager of the vulnerability research lab at Qualys. In total, August's updates address 14 vulnerabilities in Microsoft applications that touch all Windows users, from the home to the office.

Sarwate offered a different take on which patches are most critical to deploy first. "The most critical patch is MS07-046, fixing the Microsoft Graphics Rendering Engine in the core Windows operating system, or GDI," he argued. "Left unpatched, users that view malformed image files will open up their system to remote code execution."

In Sarwate's view, several bulletins, including MS07-044, MS07-045, and MS07-050, compete for second place as far as patching priority. Two of those patches relate to Internet Explorer and one to Microsoft Excel. All three are deemed critical because they affect extremely popular Microsoft applications.

"A typical exploit scenario would be for MS Office and Explorer users to receive and open a malformed Excel spreadsheet as an e-mail attachment or visit a Web site that hosts malformed Excel spreadsheets, at which point the machine can be compromised and overtaken by attackers," Sarwate said.

This month's release, he concluded, shatters the six-month pattern of smaller updates and is a reminder that Microsoft's Security Development Lifestyle that grew out of Vista's development is not infallible.