Monday, September 17, 2007

Microsoft Escapes Patch Tuesday Drama

There were only four fixes released on Patch Tuesday, but the updates affect several types of users, especially because of the Messenger fix. "Since instant messaging software is installed by home users as well as corporate users, it affects everyone," noted Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.

After its fair share of zero-day vulnerabilities and scores of patches over the past few quarters, Microsoft 's September Patch Tuesday might seem uneventful for I.T. admins. Still, there is some work to do this month with four patches in the hopper.
One critical patch fixes a bug in Windows Server 2000 that potentially allows a hacker to take control of a victim's computer from a remote location. Another security bulletin, rated important, describes a vulnerability for Windows Services for Unix and the subsystem for Unix-based applications. The second important patch affects Microsoft Visual Studio, while the third important update fixes a flaw that affects MSN Messenger and Windows Live Messenger.

"Users of Windows Server 2000 Service Pack 4 should be paying most attention to Microsoft's patches," said Dave Marcus, security research and communications manager at McAfee Avert Labs. "However, we don't foresee a lot of exploitation of the Windows 2000 vulnerability. Not many people will use those legacy systems to surf the Web, which would be the primary attack vector."

Messaging Clients Targeted

Viruses spread through instant messaging are seeing a lot of press lately. Skype suffered highly publicized attacks this week, and now Microsoft is trying to avoid the same storyline by patching a vulnerability its messaging client. According to Andrew Storms, director of Security Operations for nCircle, the Messenger fix, which patches a remote code execution bug in the video chat functionality of the messaging client, is the most interesting update this month.

"This exploit was first announced several weeks ago and Microsoft moved very quickly to get this fix out. I'm sure this is because of the recent flush of exploits that target IM clients," Storms said. "We have seen two bugs in Yahoo Messenger, one of which was almost identical to this MSN Messenger chat vulnerability. IM clients are the hot, new vector for exploits and this trend will definitely continue for the foreseeable future."

The remaining patches affect "power users," or users with administrator or developer roles, including the one critical vulnerability described in security bulletin MS07-051. Specifically, this patch affects a Microsoft agent that displays animated characters, such as "Clippy," the Microsoft Office talking paperclip.

"While critical, it is important to note that it only affects Windows 2000 Service Pack 4 users, not those running Windows 2003, XP, or Vista operating systems," noted Amol Sarwate, manager of the Vulnerability Research Lab at Qualys. "If vulnerable, there is the potential for remote code execution under a Web-based attack scenario."

Broad Set of Users Affected

The remaining two vulnerabilities are labeled important by Microsoft. Security Bulletin MS07-053 describes a Windows services update that affects advanced users who integrate Windows with Unix. This update is designed to fix a zero-day exploit made public last month.

MS07-052, meanwhile, affects Crystal reports .RPT files. If advanced users and developers browse to a malicious Web site or open an .RPT file sent as an e-mail attachment, it could open the door to an attack.

Even though there were only four fixes altogether, September's Patch Tuesday affects several different types of users, especially because of the Messenger update. "Since instant messaging software is installed by home users as well as corporate users, it affects everyone, while the remaining patches address systems and applications used by administrators and developers," Sarwate said.