Microsoft

Microsoft releases three critical security bulletins

It's back to business as usual for Microsoft: The software giant has released 10 security bulletins for June, three of which are critical. John McCormick has the details on the three critical patches.

Microsoft goes back to business as usual with the release of 10 security bulletins for June, three of which patch critical flaws.

Details

After some relatively slow months, Microsoft's dreaded monthly patch day has re-emerged as an important source of security information. The software giant released 10 security bulletins for June last week.

Due to the numerous threats, I'll concentrate on the three critical bulletins this week. Next week, I'll focus on the remaining seven bulletins. As bad as the three critical threats are, keep in mind that this month's release is about on a par with April's release of five critical vulnerability patches and February's release of seven critical bulletins.

MS05-025

Microsoft Security Bulletin MS05-025,"Cumulative Security Update for Internet Explorer," covers two new, but not publicly disclosed, vulnerabilities. The most important vulnerability patched by this bulletin can result in remote code execution.

  • CAN-2005-1211: Portable Network Graphics (PNG) image rendering memory corruption vulnerability (critical threat)
  • CAN-2002-0648: XML redirect information disclosure vulnerability (low to moderate threat)

The updates in this patch also include an improvement to the pop-up ad blocker for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. In addition, this bulletin includes updates for Windows 98, Windows SE, and Windows ME. While regular support for these older versions has ended, Microsoft continues to support these editions when it comes to critical security vulnerabilities.

Applicability

  • Windows 2000 SP 3
  • Windows 2000 SP 4
  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)
  • Windows 98
  • Windows SE
  • Windows ME

Mitigating factors
You must open an e-mail attachment to be vulnerable to this threat. Opening e-mails in plain text blocks the critical threat that comes from a PNG image rendering flaw. Sticking to plain text e-mail also blocks e-mail XML redirect attacks.

Potential attackers can use malicious code on a Web site to exploit the XML redirect vulnerability. However, by default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mails in the Restricted zone if you've applied all earlier security updates. Internet Explorer running on Windows Server 2003 runs in the Enhanced Security Configuration, which also blocks this attack.

Fix
Install the updates. The Microsoft Baseline Security Analyzer (MBSA) and the Systems Management Server (SMS) will indicate if the patches are necessary.

According to Microsoft, you can block PNG image rendering in Internet Explorer by unregistering Pngfilt.dll. (Go to Start | Run, enter regsvr32 /u pngfilt.dll, and click OK.) To disable PNG image rendering via the registry, see the original Security Bulletin.

Microsoft recommends this workaround for the XML redirect threat: Configure IE to run in the High security mode for both the Internet and Local Intranet zones. You can also use the Custom Level security option to require that IE prompts the user before running Active Scripting.

MS05-026

Microsoft Security Bulletin MS05-026, "Vulnerability in HTML Help Could Allow Remote Code Execution," is yet another patch for the HTML Help feature that can allow remote code execution. However, this threat is unrelated to the HTML Help vulnerability patched in MS05-001.

This bulletin addresses one new and not publicly disclosed threat related to the InfoTech protocol (CAN-2005-1208). In addition, this bulletin includes updates for Windows 98, Windows SE, and Windows ME. While regular support for these older versions has ended, Microsoft continues to support these editions when it comes to critical security vulnerabilities.

Applicability

  • Windows 2000 SP3
  • Windows 2000 SP4
  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)
  • Windows 98
  • Windows SE
  • Windows ME

Mitigating factors
Windows Server 2003 SP1 places restrictions on the InfoTech protocol to help prevent remote attacks. By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mails in the Restricted zone if you've applied all earlier security updates.

Fix
Install the updates. MBSA and SMS will indicate if the patches are necessary.

Microsoft suggests the following workaround: Unregister the HTML Help InfoTech protocol by going to Start | Run, entering regsvr32 /u %windir%\system32\itss.dll, and clicking OK. For systems running Windows 98, Windows SE, and Windows ME, enter regsvr32 /u %windir%\system\itss.dll instead. This workaround disables all HTML Help.

MS05-027

Microsoft Security Bulletin MS05-027, "Vulnerability in Server Message Block Could Allow Remote Code Execution," addresses one new and not publicly disclosed threat (CAN-2005-1206). Without firewall protection or TCP/IP filtering, attackers can exploit this vulnerability using an outside Internet-based attack or via a local network.

This vulnerability does not affect the related Common Internet File System (CIFS) Internet Standard protocol. This threat is unrelated to the SMB vulnerability patched in MS05-011.

Applicability

  • Windows 2000 SP3
  • Windows 2000 SP4
  • All versions of Windows XP (including SP2 and 64-bit editions)
  • All versions of Windows Server 2003 (including Itanium editions)

This vulnerability does not affect Windows 98, Windows SE, or Windows ME.

Mitigating factors
Although remote code execution is possible, in most instances, this attack would result in a denial of service instead. Firewall best practices will protect against this attack vector, and even the minimal ICF, as well as the Windows Firewall provided with XP SP2 and the firewall supplied with Windows Server 2003, will block unsolicited incoming traffic.

Fix
Install the updates. MBSA and SMS will indicate if the patches are necessary.

A simple workaround is to block TCP Ports 139 and 445 at the firewall—both inbound and outbound. This prevents the affected protocol from initiating a connection.

Risk level - Critical

All three bulletins include remote code execution vulnerabilities and therefore are as serious as threats get. However, one component of MS05-025 does not represent a critical threat.

Tune in next week to get the details on the lower level vulnerabilities. But for those of you who feel confident in the process, you can go to Microsoft Windows Update for all patches.

Final word

Well, we seem to be on track for Microsoft threats so far this year. However, I think it's only fair to point out that all the critical threats addressed by this month's bulletins are for vulnerabilities not already publicly known—and therefore no one's trying to exploit them yet. In other words, Microsoft provided patches before anyone was even aware of these vulnerabilities, let alone became a victim of them.

When is a critical vulnerability not a critical vulnerability? That's a trick question—it's always critical. But a vulnerability certainly isn't much of a real-world problem if no one knows it exists until after a fix is available.

Of course these threats are public now, so you do need to patch them or apply workarounds until you see if the patches themselves cause any problems.


Also watch for …

  • Those of you who have always disliked product activation features have a new reason to add to your objections: Adobe has announced that its License Management Service, a component used for product activation, contains a vulnerability that can let an attacker gain control of computers running Adobe Photoshop CS for Windows, Adobe Creative Suite 1.0, and Adobe Premiere Pro 1.5. A security patch is available from Adobe.
  • Those of you who complain so loudly about ActiveX should take note that Sun has just patched two highly critical vulnerabilities in Java. Secunia's high rating is because the vulnerabilities not only allow an attacker to run arbitrary code on vulnerable systems—but he or she can do so without any indication of the attack. This threat applies to older Java 2 Platform Standard Edition (J2SE) releases, versions prior to February's J2SE 5.0 Update 2. Sun recommends upgrading Java Platform code to the latest version.
  • Warning: Anyone running Windows 2000 should take note of the fact that general support for the popular OS will end this month.
  • Finally, since we look to the Feds to help protect us against Internet scams and other crimes, I feel I would be remiss if I didn't point out a CNN report that a 30-year FBI veteran will serve a year-long federal prison sentence for possession of child pornography. The long-time agent said he learned how to access child porn Web sites at a training session in 2000 or 2001.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox