'Tis the season for giving, and Microsoft has caught the spirit: The software giant beat Santa to the punch this year and gifted users with two Microsoft patches.
With the release of Microsoft Security Bulletin MS05-054, Redmond offered users an early gift this season by finally fixing a critical vulnerability that has been lurking in the Internet Explorer browser for more than six months. To round out the software maker's monthly updates, Microsoft also released Security Bulletin MS05-055, which addresses a somewhat minor threat in Windows 2000.
Microsoft Security Bulletin MS05-054, "Cumulative Security Update for Internet Explorer," includes a fix for the long-unpatched vulnerability that has generated so much negative publicity for Microsoft in recent weeks. MS05-054 replaces Microsoft Security Bulletin MS05-052 for all affected platforms.
This security bulletin addresses four vulnerabilities:
- File Download Dialog Box Manipulation vulnerability: This is a remote code execution threat (CAN-2005-2829).
- HTTPS Proxy vulnerability: This poses an information disclosure threat (CAN-2005-2830).
- COM Object Instantiation Memory Corruption vulnerability: This is another remote code execution threat (CAN-2005-2831).
- Mismatched Document Object Model Objects Memory Corruption vulnerability: This is another remote code execution threat (CAN-2005-1790).
- Windows 2000 Service Pack 4
- All versions of Windows XP
- All versions of Windows Server 2003
- Windows 98, Windows SE, and Windows ME
The cumulative threat level is critical for all vulnerable platforms—with one exception. This is only a moderate threat for Internet Explorer 6 running on versions of Windows Server 2003. This applies to the COM Object Instantiation Memory Corruption and the Mismatched Document Object Model Objects Memory Corruption vulnerabilities.
The File Download Dialog Box Manipulation and the HTTPS Proxy vulnerabilities are a moderate threat for all affected systems. However, the File Download Dialog Box Manipulation vulnerability is only a low threat for IE 6 running on versions of Windows Server 2003.
For the File Download Dialog Box Manipulation vulnerability, opening HTML e-mail messages in the Restricted security zone (which Outlook Express 6, Outlook 2002, and Outlook 2003 do) can reduce or eliminate the threat. This security best practice can also help reduce or eliminate the threat for the COM Object Instantiation Memory Corruption and the Mismatched Document Object Model Objects Memory Corruption vulnerabilities. The HTTPS Proxy vulnerability is a local network attack, and the information disclosed would probably be random.
Install the update. The best workarounds for browser threats are using common sense, avoiding unknown and/or untrusted sites, and not opening e-mails from unknown sources.
As a workaround for the File Download Dialog Box Manipulation vulnerability, set Internet Explorer to prompt before running Active Scripting, or disable Active Scripting in the Internet and Local Intranet security zones. This workaround also applies to the COM Object Instantiation Memory Corruption and the Mismatched Document Object Model Objects Memory Corruption vulnerabilities. Microsoft's suggested workaround for the HTTPS Proxy vulnerability is to avoid using authenticating proxy servers that require Basic Authentication as a proxy for HTTPS communication.
Microsoft Security Bulletin MS05-055, "Vulnerability in Windows Kernel Could Allow Elevation of Privilege," is a minor elevation of privilege threat that only affects Windows 2000 SP4. Microsoft has rated this vulnerability as an important threat.
No workarounds are currently available. However, an attacker would need valid logon credentials and local access to the network in order to exploit this vulnerability.
While I'm hard-pressed to generate much real sympathy for a multibillionaire—especially someone just named one of the three Time magazine's "Persons of the Year" (and very richly deserved too)—I do have a certain amount of compassion for Bill Gates and Microsoft, which will always endure criticism for its patches.
This is an unfortunate industry truth: If a company rushes a patch, and there's the slightest problem with it (and who among us has never made a mistake?), then the company garners criticism for releasing a bad patch. On the other hand, if a company waits to perform extensive testing on all aspects of the patch and finally releases a solid patch, then users complain that the company was too slow to provide a patch.
All I know is that, using standard best practices, I've never—not even once—encountered any actual damage from any of the myriad vulnerabilities discovered and/or patched in Microsoft code. While I know plenty of people have encountered problems, I can't speak for the state of their firewalls, how often they update virus signatures, or whether they engage in what I would consider risky online behavior.
Also watch for…
- According to CIO Magazine's third annual Global State of Information Security study of IT security pros from 62 countries, respondents experienced more than 2 security incidents each day on average in the past 12 months. While spending on security is up, it's still not high enough.
- Secunia.com has disclosed a vulnerability in the Opera Web browser, which is very similar to the recently patched Internet Explorer threat. This is a "mouse-click" error, which can allow a malicious Web site operator to download and execute random code on a computer.
- Adobe has decided to follow Microsoft's lead and has announced plans to begin releasing vulnerability patches on a monthly basis.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.