After releasing only three security bulletins in July, Microsoft is ramping back up with the release of six security bulletins for August. However, only three updates are critical. Of the critical security bulletins, only one has seen active exploitation so far.
Details

Microsoft released six security bulletins for August and has rated three of them as critical: MS05-038, MS05-039, and MS05-043. However, only one update (MS05-038) is currently under attack.

Redmond has deemed the remaining three security bulletins—MS05-040, MS05-041, and MS05-042—as important and moderate threats. I’ll focus on the critical bulletins in this issue, and I’ll bring you up to speed on the remaining updates in my next column.

Best online Microsoft MCTS Training, Microsoft MCITP Certification at certkingdom.com

Microsoft also updated MS05-030 this month to reflect the fact that it isn’t a cumulative update—and does not supersede MS04-018. In addition, it rereleased two earlier security bulletins: MS05-023 and MS05-032.

* Microsoft Security Bulletin MS05-023, “Vulnerabilities in Microsoft Word May Lead to Remote Code Execution”: Originally released in April, Microsoft updated this bulletin to include the fact that Word 2003 Viewer is also vulnerable to this threat.
* Microsoft Security Bulletin MS05-032, “Vulnerability in Microsoft Agent Could Allow Spoofing”: Originally released in June, Microsoft updated this moderate-rated bulletin to announce a new version of the patch available for x64 editions, Windows Server 2003 for Itanium-based systems, and Windows Server 2003 SP1 for Itanium-based systems.

MS05-038

Microsoft Security Bulletin MS05-038, “Cumulative Security Update for Internet Explorer,” includes hot fixes released since Microsoft Security Bulletins MS04-004 or MS04-025 (both released last year). However, the update will only install those hot fixes on systems that haven’t already received them.

Some of the patched vulnerabilities are remote code execution threats. And in addition to including earlier updates, this bulletin also includes patches for several newly discovered vulnerabilities in IE:

* JPEG Image Rendering Memory Corruption Vulnerability (CAN-2005-1988): While publicly known, no exploits of this vulnerability have surfaced in the wild as of the release date for the patch.
* Web Folder Behaviors Cross-Domain Vulnerability (CAN-2005-1989): This vulnerability is a new, privately reported threat that hasn’t yet surfaced in the wild.
* COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-1990): Portions of this threat were public knowledge, and there have been reports of exploits in the wild.

Applicability

* Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
* IE 5.5 SP2 on Windows ME
* IE 6 on Windows XP SP2
* IE 6 SP1 on all systems prior to Windows Server 2003
* IE 6 for all versions of Windows Server 2003 (including the 64-bit edition)

Some of the threats addressed by this bulletin don’t affect Windows 98 versions, but these versions are critically vulnerable to others. In particular, the COM object memory threat critically affects Windows 98, Windows SE, and Windows ME.

Microsoft Baseline Security Analyzer (MBSA) 1.2.1 and 2.0 will indicate if portions of this set of patches are necessary, but MBSA doesn’t appear to catch all of the components. Systems Management Server (SMS) can also detect whether portions of this update are necessary, and it can perform the update for only some of the components if necessary.

Risk level
The COM Object Instantiation Memory Corruption Vulnerability is a critical remote code execution threat for all affected systems except IE 6 on Windows Server 2003. Furthermore, exploits of this threat have surfaced in the wild.

The JPEG Image Rendering Memory Corruption Vulnerability is a critical threat for all affected versions. The Web Folder Behaviors Cross-Domain Vulnerability is only a moderate to low threat to systems.

Mitigating factors
While the JPEG vulnerability is critical for all affected versions, Windows Server 2003 runs in an enhanced security mode by default, which reduces the risk.

Using the best practice of opening HTML e-mails in a restricted security zone will help mitigate the Web folder threat, and some versions do this by default. By default, Windows Server 2003 and Windows XP SP2 both run in an enhanced security mode, which reduces the risk from this threat.

Fix
Install the updates. As a workaround for the Web folder vulnerability, don’t open or view e-mails in HTML, configure IE to run in the High security mode for both the Internet and Local Intranet zones, and set the system to prompt the user before running ActiveX controls—or simply disable them.

This cumulative patch will change some functionality in IE—both those related to security and others included in earlier updates that don’t involve vulnerabilities. Specifically, installation of the patches will disable arbitrary system monikers in OBJECT tags. It will also restrict the Favorites functionality and set some kill bits in ActiveX controls. For more information, read the security bulletin if this is a concern.
MS05-039

Microsoft Security Bulletin MS05-039, “Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege,” addresses a PnP vulnerability that’s a remote code execution threat (CAN-2005-1983). This is a new, privately reported threat that hasn’t yet surfaced in the wild.

Applicability

* Windows 2000 SP4
* All versions of Windows XP (including SP2 and 64-bit editions)
* All versions of Windows Server 2003 (including Itanium editions)

Due to the inclusion of the Internet Connection Firewall (ICF) and later firewall versions in current Windows XP versions, the major threat from this vulnerability is to those running Windows 2000. This vulnerability does not affect Windows 98, Windows SE, and Windows ME.

Note: Microsoft warns that Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols may also be vulnerable to this threat.

MSBA 1.2.1 and 2.0 will detect whether an update is necessary. SMS can detect the problem and help deploy the update.

Risk level
Microsoft has rated this threat as critical for Windows 2000 systems. It is only a moderate threat for Windows XP and Windows Server 2003 systems.

Mitigating factors
Using firewall best practices to configure firewall settings should block this attack. In addition, an attacker would need valid logon information to penetrate a system.

Fix
Install the updates. As a workaround, block TCP ports 139 and 445 at the firewall, and enable advanced TCP/IP filtering where practical.
MS05-043

Microsoft Security Bulletin MS05-043, “Vulnerability in Print Spooler Service Could Allow Remote Code Execution,” addresses a privately reported vulnerability. No exploits have surfaced in the wild.

Applicability

* Windows 2000 SP4
* Windows XP SP1 and SP2
* Windows Server 2003
* Microsoft Windows Server 2003 for Itanium-based Systems

MSBA 1.2.1 and 2.0 will detect whether an update is necessary. SMS can detect the problem and help deploy the update.

Risk level
This is a critical threat for Windows 2000 and Windows XP SP1. However, it’s only a moderate threat for Windows XP SP2 and Windows Server 2003 systems, partially because it would likely only trigger a denial-of-service attack on those systems.

Mitigating factors
Windows XP SP2 and Windows Server 2003 are only vulnerable to attacks from authorized users. Using firewall best practices should protect all systems from outside attacks.

Fix
Install the updates. As a workaround, disable the Print Spooler service. On Windows 2000 systems, you can edit the registry to remove the Print Spooler service from the NullSessionPipes registry key. For instructions on both workarounds, read the security bulletin.
Final word

Whew! That pretty much leaves no space for any other threats in this edition, but I haven’t seen anything else out there that’s particularly dangerous, and no exploits have surfaced. And it’s fortunate that no one seems to be exploiting the JPEG vulnerability yet because it would trigger just from viewing the malware-infected image.

On a final note, Microsoft has reached an agreement with major spammer Scott Richter, resulting in a $7 million payment to the company, which will use the funds to help fight computer-related crimes. While this could make a dent in the junk mail traffic, it’s more likely that someone overseas—and therefore outside the reach of U.S. law—will just fill his shoes. Remember, spam isn’t even illegal in several countries.