The February Microsoft Security Bulletin release was so large that we had to break coverage into two issues. This one includes less-than-critical threats to Windows as well as all the newly patched threats to Office.
- MS05-004, "ASP.NET Path Validation Vulnerability," is an elevation of privilege and information disclosure threat. This was being actively exploited at the time the bulletin was released.
- MS05-005, "Vulnerability in Microsoft Office XP," is a remote code execution threat caused by a buffer overrun. This is the only critical-rated threat covered in this issue. It was not being exploited at the time the bulletin was released.
- MS05-006, "Vulnerability in Windows SharePoint Services and SharePoint Team Services Could Allow Cross-Site Scripting and Spoofing Attacks," is a remote code execution vulnerability that was not being exploited at the time the bulletin was released.
- MS05-007, "Vulnerability in Windows Could Allow Information Disclosure," is a "named-pipe vulnerability" and no exploits had been seen at the time the bulletin was released. Named pipes, MSDN Library Web site, are used by processes which need to communicate with each other. The vulnerability is due to poor authentication.
- MS05-008, "Vulnerability in Windows Shell Could Allow Remote Code Execution," is a drag-and-drop vulnerability which is being actively exploited. It is caused by improper validation of some DHTML (Dynamic HTML) events.
- MS05-004 affects both .NET Framework 1.0 and 1.1. The affected component is ASP.NET. Note that the Microsoft Baseline Security Analyzer will NOT report on the need to patch this vulnerability but a new Enterprise Update Scanning Tool will assist.
- MS05-005 affects all versions and service pack releases of Office XP, Project 2002, Visio 2002, Works Suite 2002, 2003, and 2004. Not affected are Office 2000 and 2003. Microsoft Baseline Security Analyzer (MBSA) will report if this update is required.
- MS05-006 only affects Windows SharePoint Services for Windows Server 2003 and SharePoint Team Services. Note that the Microsoft Baseline Security Analyzer will report on the need to patch some programs for this vulnerability but a new Enterprise Update Scanning Tool will assist in determining whether software unsupported by MBSA needs the update.
- MS05-007 only applies to Windows XP SP1 and SP2, as well as the 64-bit XP Titanium edition. The Microsoft Baseline Security Analyzer (MBSA) will report if this update is required.
- MS05-008 applies to Windows 2000 SP3 and SP4, XP SP1 and SP2, as well as 64-bit Itanium versions of XP, Windows Server 2003 including Itanium versions, and Windows 98, 98 SE, and Me. The Microsoft Baseline Security Analyzer (MBSA) will report if this update is required.
Risk level – Maximum rating is critical
- MS05-004 is rated important, and you need to be aware that exploits are being seen in the wild. This vulnerability carries the Mitre designation - Path Validation Vulnerability - CAN-2004-0847.
- MS05-005 is rated critical and has been given the Mitre designation - CAN-2004-0848.
- MS05-006 is only rated moderate because it only affects uses of SharePoint. This vulnerability carries the Mitre designation - Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049.
- MS05-007 is rated important for XP SP1 but moderate for XP SP2 and carries the Mitre designation - Named Pipe Vulnerability - CAN-2005-0051.
- MS05-008 carries a not-critical rating for Windows 98, 98 SE, and Me; an important rating for Windows 2000 and XP; and a moderate rating for Windows Server 2003. This threat has been assigned the Mitre designation CAN-2005-0053.
- MS05-004, according to Microsoft, "only affects sites which require authenticated access."
- MS05-005 can only be exploited if the user can be persuaded to open a malicious link. This would not occur automatically unless default settings were altered.
- MS05-006 has a few rather complex mitigating circumstances; see the bulletin for details.
- MS05-007 is mitigated by best firewall practices and the fact that the vulnerable Computer Browser service does not run by default on XP SP2 systems.
- MS05-008 is mitigated by the fact that most recent and patched versions of Outlook and Outlook Express open HTML e-mails in the Restricted security zone.
Fix – Apply patches
- MS05-004 can be mitigated by applying the mitigation code module described in Microsoft Knowledge Base article 887289 as a workaround. For other workarounds see the bulletin.
- MS05-005 has a simple workaround to reduce the threat. In the Tools menu, choose Folder Options | File Types | Advanced and check Confirm Open After Download. Uncheck Browse In Same Window, and users will be prompted before code is run. This doesn't prevent the user from running it anyway, just prevents automatic infection.
- MS05-006 doesn't have any workaround identified by Microsoft.
- MS05-007 can be mitigated using the Microsoft recommended workaround of disabling the Computer Browser service. Also, blocking TCP ports 139 and 455 in the firewall will block attempts by the affected protocol to make a connection. Using the Internet Connection Firewall, do not enable "File and Printer Sharing for Microsoft Networks."
- MS05-008 can be mitigated by setting your browser to prompt before running ActiveX controls and plug-ins. You should also set Internet and Local intranet security settings to High. You can also disable "Drag and Drop or copy and paste files" in Internet Explorer.
The threats covered by these bulletins are relatively minor, even the one marked critical. Microsoft has introduced a new tool to assist managers. Microsoft Knowledge Base Article 984193 describes the Enterprise Update Scanning Tool.
Based on the discovery of the first Trojan to target the software (see below) I have deleted Microsoft's AntiSpyware beta from my machine. Before you Microsoft bashers start cheering that yet another Microsoft program carries hidden threats, check out the note below on Symantec security product vulnerabilities.
This slew of critical and less-than-critical security updates certainly doesn't do anything to fix Microsoft's image, but it's important to remember that virtually every other vendor has security problems also. I only point that out because too many people seem to get dangerously complacent if they avoid Microsoft products and the complacency simply isn't justified.
Also watch for …
- Stocks of other antivirus companies took a hit recently as Microsoft's announced acquisition of small AV e-mail protection software vendor Sybari Software Inc. caused everyone to recognize that the Redmond-based giant is serious about getting into the AV business.
- Sophos has announced the discovery of the first Trojan (BankAsh) that attacks the new Microsoft AntiSpyware software which is still in beta.
- ISS-Xforce has discovered a number of high-risk vulnerabilities in a wide range of Symantec security programs, including those for the Macintosh platform. Symantec has provided fixes for the UXP parsing engine overflow.