Microsoft has released 12 Security Bulletins to mark the usual monthly release in February. A number of these bulletins address vulnerabilities which are classified as critical—three for Office, and seven for Windows. This issue only covers the critical Windows patches.
- MS05-009, "Vulnerability in PNG (Portable Network Graphics) Processing," had not yet been exploited at the time of the bulletin.
- MS05-010, "Vulnerability in the License Logging Service," had not been publicly disclosed and hadn't been exploited at the time the bulletin was released.
- MS05-011, "Vulnerability in Server Message Block," had not been publicly disclosed and hadn't been exploited at the time the bulletin was released.
- MS05-012, "Vulnerability in OLE and COM," had not been publicly disclosed and hadn't been exploited at the time the bulletin was released. This bulletin replaces three earlier bulletins from 2003.
- MS05-013, "Vulnerability in the DHTML Editing Component ActiveX Control," leads this list out of numeric sequence because attacks based on this threat have been reported. This is a remote code execution threat that can allow the attacker to harvest information or take complete control of the compromised system. It is mitigated by the installation of Service Pack 2 on XP systems.
- MS05-014, "Cumulative Security Update for Internet Explorer," includes a drag and drop vulnerability (CAN-2005-0053), which is being actively exploited and a cross domain vulnerability (CAN-2005-0056) for which exploit code has been published.
- MS05-015, "Vulnerability in Hyperlink Object Library," also had not been publicly disclosed and hadn't been exploited at the time the bulletin was released.
- MS05-009 affects Media Player version 9 on any other platform, Windows Messenger 5, MSN Messenger 6.1 and 6.2, as well as Windows 98, 98SE, and Me. It does not affect Media Player 6.4, 7.1, 8 (XP), 9 (XP SP2), MP 10, or MSN Messenger for Mac. MSN Messenger 7.0 (beta) was patched before initial release.
- MS05-010 affects NT Server 4.0 SP 6a, NT Server 4.0 TSE SP 6, Windows 2000 Server Service Packs 3 and 4, as well as Windows Server 2003. It does not affect W2000 Pro SP 3 or SP4, XP SP1 or SP2, or the Itanium versions of XP. Also, this does not affect Windows 98, 98SE, and Me.
- MS05-011 affects all versions (including Itanium) and service pack levels of Windows 2000, XP and Windows Server 2003.
- MS05-012 covers two vulnerabilities and affects virtually every Microsoft platform—see the bulletin for details.
- MS05-013 affects Windows 2000 SP3 and SP4, XP SP1 and SP2, 64-bit XP Itanium SP1 and 2003, Server 2003 and 2003 Itanium, and Windows 98, 98SE, and Me.
- MS05-014 covers a large number of vulnerabilities and affects IE 5.01 SP3 and SP4, IE 5.5 SP2 on Me, IE 6 SP1 (before WS 2003), IE 6 WS 2003 including 64-bit edition, and IE 6 XP SP2.
- MS05-015 affects Windows 2000 SP3 and SP4, XP SP1 and SP2, 64-bit XP Itanium SP1 and 2003, Server 2003 and 2003 Itanium, and Windows 98, 98SE, and Me.
Risk level - Critical
- MS05-009 can allow remote code execution and is rated critical in overall impact. Specifically, PNG Processing Vulnerability- CAN-2004-1244, is critical for Windows Media Player 9 and doesn't affect the other applications. PNG Processing Vulnerability- CAN-2004-0597, is critical for MSN Messenger 6.1 and 6.2, moderate for Windows Messenger versions and doesn't apply to Media Player 9.
- MS05-010 can allow remote code execution and is rated critical for some servers. License Logging Service Vulnerability - CAN-2005-0050 is critical for NT 4.0 and Windows 2000 Server Service Pack 3; important for Windows 2000 Server Service Pack 4; and moderate for Windows Server 2003.
- MS05-011 is a remote code execution threat and therefore rated critical. This is the vulnerability assigned the Mitre designation CAN-2005-045.
- MS05-012 can allow remote code execution and is rated critical for some servers. COM Structured Storage Vulnerability, CAN-2005-047 is a local elevation of privilege threat which is only rated as important for Windows 2000, XP, and Server 2003. It doesn't affect other versions. Input Validation Vulnerability, CAN-2005-0044, is a remote code execution threat which is critical for Windows Server 2003, Exchange Server 5.5, Exchange 2000 Server, and Exchange Server 2003. It is rated important for other affected software and not critical for Windows 98, 98 SE, and Me.
- MS05-013, CAN-2004-1319, is a remote code execution threat which is critical for Windows 98, 98 SE, Me, Windows 2000, and XP. It is rated important for XP SP2 and moderate for Windows Server 2003.
- MS05-014 covers a large number of vulnerabilities with the highest rating of critical.
- MS05-015, CAN-2005-0057, is a remote code execution threat rated critical for Windows 98, 98 SE, and Me, Windows 2000, XP, and Server 2003.
- MS05-009 is relatively difficult to exploit because, by default, MSN Messenger does not permit messages from strangers. There are a number of workarounds provided by Microsoft in the bulletin.
- MS05-010 is disabled by default on some servers but it can't be mitigated by disabling the license logging service in Small Business Server 2000 or 2003. You can disable it on some other servers if not needed—see the bulletin for details.
- MS05-011 is blocked by good firewall practices—block TCP ports 139 and 445.
- MS05-012 requires a user to open an e-mail attachment or visit a malicious Web site. The COM threat requires valid logon credentials and is a local exploit only.
- MS05-013 is mitigated by best practices if you configure Internet Explorer to open un-trusted sites in the restricted zone.
- MS05-014 includes a number of individual exploits and hence a large number of mitigating factors and workarounds. See the bulletin for details.
- MS05-015 can't be spread automatically; the user must open a Web page or click on a hyperlink in an e-mail. There are several workarounds listed in the bulletin.
Fix – Apply the provided patches
- MS05-009 replaces MS03-021 (Media Player 9) and MS04-010 (MSN Messenger 6.1).
- MS05-012 replaces MS03-010, MS03-026, and MS03-039.
- MS05-014 replaces MS04-038 and MS04-040.
This month's vulnerability patch release from Microsoft was just so massive that I had to cover it in two columns. Another issue addresses the Office-related bulletins and non-critical Windows threats.
The good news, if there is any, is that most of these vulnerabilities were unknown until Microsoft made the patch available. MS05-013 is the notable difference among the critical-rated threats because attacks based on this vulnerability had been seen in the wild before the February 8, 2005 release date of the Security Bulletin.