After delaying an anticipated critical security bulletin in September, Microsoft is apparently making up for lost time this month. Last week, Redmond released nine security bulletins, three of which it rated critical.
Details
After postponing the September security bulletin release, Microsoft released nine security bulletins for October and has rated three of them as critical: MS05-050, MS05-051, and MS05-052. Of the critical security bulletins, only one is under attack. MS05-052 addresses a publicly disclosed threat for which exploits have appeared in the wild.
Redmond has deemed the remaining security bulletins—MS05-044, MS05-045, MS05-046, MS05-047, MS05-048, and MS05-049—as important and moderate threats. I'll focus on the critical bulletins in this issue, and I'll bring you up to speed on the remaining updates in my next column.
MS05-050
Microsoft Security Bulletin MS05-050, "Vulnerability in DirectShow Could Allow Remote Code Execution," is a DirectX threat that can allow remote code execution (CAN-2005-2128). This bulletin replaces Microsoft Security Bulletin MS03-030 on all affected operating system versions except Windows 2000.
As of October 11, there had been no reports of exploits in the wild. eEye Digital Security, which discovered the vulnerability, didn't disclose the threat publicly until Microsoft released the patch.
Applicability
This vulnerability affects all Windows versions that have versions of DirectX 7.0 and later enabled and installed. This specifically includes:
- Windows 2000 SP4
- All versions of Windows XP
- All versions of Windows Server 2003
- Windows 98, Windows SE, and Windows ME
Microsoft Baseline Security Analyzer (MBSA) 1.2.1 will indicate if this update is necessary for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 only. MBSA 2.0 will detect the need for this security update in all other versions that support Microsoft Update. The new version of the Enterprise Update Scanning Tool will also indicate if you need the update.
Risk level
Microsoft has rated this a critical threat for all affected systems.
Mitigating factors
A successful attacker can only gain the privileges of the user. According to Microsoft, there's no escalation of privileges threat for this vulnerability.
Fix
Install the update. There are no known workarounds for this vulnerability. This is a buffer overrun problem, and the fix just adds a message-length validation tool.
MS05-051
Microsoft Security Bulletin MS05-051, "Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution," addresses four vulnerabilities with varying degrees of threat for different platforms.
- MSDTC vulnerability (CAN-2005-2119)
- COM+ vulnerability (CAN-2005-1978)
- TIP vulnerability (CAN-2005-1979)
- Distributed TIP vulnerability (CAN-2005-1980)
The MSDTC and COM+ vulnerabilities are both remote code execution threats with elevation of privilege. The two TIP vulnerabilities are denial of service threats and are therefore much less dangerous.
This bulletin replaces Microsoft Security Bulletins MS03-010, MS03-026, MS03-039, MS04-012, and MS05-012 in some instances. See the security bulletin for details.
As of October 11, there have been no reports of exploits in the wild. Researchers had disclosed none of these vulnerabilities publicly prior to the release of the update.
Applicability
- Windows 2000 SP4
- All versions of Windows XP
- All versions of Windows Server 2003
MBSA will detect whether an update is necessary.
Risk level
MS05-051 includes patches for all four threats. However, Microsoft only rates two of these vulnerabilities as critical for Windows 2000 and Windows XP SP1 only.
For Windows 2000, the MSDTC and COM+ vulnerabilities are critical, and the two TIP vulnerabilities are moderate threats. For Windows XP SP1, the MSDTC vulnerability is important, and the COM+ vulnerability is critical. The MSDTC vulnerability doesn't affect Windows XP SP2, and the COM+ vulnerability is important. Both TIP vulnerabilities are low-level threats for both Windows XP SP1 and SP2.
The MSDTC vulnerability is important for Windows Server 2003, but it doesn't affect Windows Server 2003 SP1. The COM+ vulnerability is important for both versions of Windows Server 2003, and the two TIP vulnerabilities are low-level threats for both versions as well.
Mitigating factors
The MSDTC Vulnerability in Windows Server 2003 requires valid logon credentials. In Windows XP SP1, the vulnerable component doesn't start by default. Valid logon credentials are also necessary to exploit the COM+ vulnerability firewall, and best practices would typically protect against remote exploitation of the threat. The other threats are low-level, and they have various mitigating factors.
Fix
Install the update. In addition, Microsoft-tested workarounds are available for all of the vulnerabilities. However, these workarounds are somewhat complex, so see the security bulletin for more details. Please note that the TIP-related patch can affect functionality; see the security bulletin for specific details.
MS05-052
Microsoft Security Bulletin MS05-052, "Cumulative Security Update for Internet Explorer" involves a COM object instantiation memory corruption vulnerability (CAN-2005-2127). It replaces the previous cumulative update, Microsoft Security Bulletin MS05-038 and applies to version of IE 5.01 and later. This vulnerability is public knowledge, and there have been reports of exploits in the wild.
Applicability
- Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
- IE 5.5 SP2 on Windows ME
- IE 6 on Windows XP SP2
- IE 6 SP1 on all systems prior to Windows Server 2003
- IE 6 for all versions of Windows Server 2003
MBSA will detect whether an update is necessary.
Risk level
Microsoft has rated this threat as moderate for IE 6 for all versions of Windows Server 2003. It is a critical threat for all other affected versions.
Mitigating factors
Exploitation of this vulnerability requires that users visit a malicious Web site. In addition, systems that correctly open HTML e-mails in a restricted security zone should be safe.
Fix
Install the update. Don't linger with applying this patch since hackers are already actively exploiting this threat. However, you can mitigate the threat immediately by using this workaround: Disable ActiveX controls in the Internet and Local Intranet security zones, or configure IE to prompt before running a new ActiveX control.
Final word
While nine security bulletins may seem like an unusually high number, keep in mind that Microsoft released no security bulletins in September. So really, this is actually two months' worth of patches.
And one last thing to keep in mind: When a bulletin involves a great deal of details, I always direct readers to the bulletin itself. This isn't just because of space considerations and the fact that they don't apply to all users—these parts of the bulletins are also the most likely place that Microsoft will add updates. Always consult the actual bulletin for any updates—revision notices are always at the very end of the bulletin.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.
