Always ready with a security surprise, Microsoft released
two security bulletins last week—in addition to the release of a critical
security bulletin a week earlier—to start off the year’s Patch Tuesday cycle.
The two updates, both rated critical, fix vulnerabilities in Microsoft Windows,
Outlook, and Exchange.

Details

When I reported last week
on Microsoft
Security Bulletin MS06-001, which was so critical the software giant released it early,
I thought that would be all we’d hear from Redmond until February. However,
apparently one of Redmond’s New Year’s resolutions was to be more timely
because the company followed up the early release with two more critical
security bulletins on the regularly scheduled second Tuesday of the
month—dubbed Patch Tuesday.

Let’s take a look at MS06-002, which fixes a Windows
vulnerability, and MS06-003, which plugs an Outlook and Exchange hole.

MS06-002

Microsoft
Security Bulletin MS06-002, “Vulnerability in Embedded Web Fonts Could
Allow Remote Code Execution,” is a remote code execution threat that comes
from a Windows Embedded Web Font Vulnerability (CVE-2006-0010).
This is a newly discovered and privately reported vulnerability (originating
from eEye Digital Security). There have been
no reports of exploits in the wild.

Applicability

This threat applies to all versions of Windows operating
systems—including Windows 98, x64, and Itanium-based systems—and patches are
available for all at-risk operating systems.

  • Windows
    2000 Service Pack 4
  • All
    versions of Windows XP (including SP2)
  • All
    versions of Windows Server 2003 (including SP1)
  • Windows
    98
  • Windows
    SE
  • Windows
    Me

Risk level
Microsoft has rated this a critical threat for Windows 98, Windows SE, Windows
Me, Windows 2000, and all versions of Windows XP. It’s an important threat for
all versions of Windows Server 2003.

Mitigating factors
A successful attacker will only gain the same privileges as the current user.
And as usual, the attacker must persuade the victim to open a malicious e-mail
message or visit a malicious Web site.

Fix
Apply the update. As a workaround for this threat, open e-mails in plain text.
In addition, under Internet Explorer’s Internet and Local Intranet security
zones, set the Font Download setting to Prompt or Disable.

MS06-003

Microsoft
Security Bulletin MS06-003,”Vulnerability in TNEF Decoding in
Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution,”
is another remote code execution threat that comes from a TNEF Decoding Vulnerability
(CVE-2006-0002).
TNEF stands for Transport Neutral Encapsulation Format, and MIME attachments use
it, mostly for RTF documents.

This is also a newly discovered and privately reported
vulnerability (originating from NGS
Software). There have been no reports of exploits in the wild

Applicability
This is primarily a Microsoft Outlook and Microsoft Office threat. That means
even if you don’t use Outlook for security reasons, you’re also at risk if you
use Office.

  • Office
    2000 SP3, which includes Outlook 2000, Office 2000 MultiLanguage Packs, and
    Outlook 2000 English MultiLanguage Packs
  • Office
    XP SP3, which includes Outlook 2002 and Office XP Multilingual User
    Interface Packs (MUI)
  • Office
    2003 SP1 and SP2, which includes Outlook 2003, Office 2003MUI, and Office
    2003 Language Interface Packs
  • Exchange
    Server 5.0 SP2
  • Exchange
    Server 5.5 SP4
  • Exchange
    2000 Server SP3

Risk level
Microsoft has rated this threat critical for all affected platforms.

Mitigating factors
A successful attacker will only gain the same privileges as the current user.

Fix
Apply the update. As a workaround for Exchange Server, block MS-TNEF, which
protects against SMTP e-mail attacks. In addition, Block NNTP protocol public
newsfeeds.

Workarounds will prevent RTF format attachments from opening
properly. However, filtering attachments and selecting a RTF Never Used option won’t
protect your systems. For more details, see the security bulletin.

Final word

Microsoft obviously decided that this month’s security bulletins
were important enough to issue one out of sequence, which could signal a new
patch philosophy from the software giant. However, I’m wondering whether
Redmond has really turned over a new leaf. Rather, I suspect it was the
publicity surrounding the recent threats that led the vendor to release the
first patch as soon as it was ready.

Also watch for …

  • Feeling
    worthless? Underappreciated? Check out this PDF of The SANS 2005 IS Salary &
    Career Advancement Survey    .
  • Need
    to settle an argument about which antivirus program updates the fastest?
    Check out test results on AV-Test.org.
    (Want a hint? Kaspersky wins, and Symantec is far down on the list at 10
    to 12 hours for average response time.)

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.