‘Tis the season for giving, and Microsoft has caught the
spirit: The software giant beat Santa to the punch this year and gifted users
with two Microsoft patches.

Details

With the release of Microsoft Security Bulletin MS05-054,
Redmond offered users an early gift this season by finally fixing a critical
vulnerability that has been lurking in the
Internet Explorer browser for more than six months. To round out the
software maker’s monthly updates, Microsoft also released Security Bulletin
MS05-055, which addresses a somewhat minor threat in Windows 2000.

MS05-054

Microsoft
Security Bulletin MS05-054, “Cumulative Security Update for Internet
Explorer,” includes a fix for the long-unpatched
vulnerability that has generated so much negative
publicity for Microsoft in recent weeks. MS05-054 replaces Microsoft Security
Bulletin MS05-052 for all affected platforms.

This security bulletin addresses four vulnerabilities:

  • File
    Download Dialog Box Manipulation vulnerability: This is a remote code
    execution threat (CAN-2005-2829).
  • HTTPS
    Proxy vulnerability: This poses an information disclosure threat (CAN-2005-2830).
  • COM
    Object Instantiation Memory Corruption vulnerability: This is another
    remote code execution threat (CAN-2005-2831).
  • Mismatched
    Document Object Model Objects Memory Corruption vulnerability: This is
    another remote code execution threat (CAN-2005-1790).

Applicability

  • Windows
    2000 Service Pack 4
  • All
    versions of Windows XP
  • All
    versions of Windows Server 2003
  • Windows
    98, Windows SE, and Windows ME

Risk level

The cumulative threat level is critical for all vulnerable
platforms—with one exception. This is only a moderate threat for Internet
Explorer 6 running on versions of Windows Server 2003. This applies to the COM
Object Instantiation Memory Corruption and the Mismatched Document Object Model
Objects Memory Corruption vulnerabilities.

The File Download Dialog Box Manipulation and the HTTPS
Proxy vulnerabilities are a moderate threat for all affected systems. However, the
File Download Dialog Box Manipulation vulnerability is only a low threat for IE
6 running on versions of Windows Server 2003.

Mitigating factors

For the File Download Dialog Box Manipulation vulnerability,
opening HTML e-mail messages in the Restricted security zone (which Outlook
Express 6, Outlook 2002, and Outlook 2003 do) can reduce or eliminate the
threat. This security best practice can also help reduce or eliminate the
threat for the COM Object Instantiation Memory Corruption and the Mismatched Document
Object Model Objects Memory Corruption vulnerabilities. The HTTPS Proxy vulnerability
is a local network attack, and the information disclosed would probably be
random.

Fix

Install the update. The best workarounds for browser threats
are using common sense, avoiding unknown and/or untrusted sites, and not opening
e-mails from unknown sources.

As a workaround for the File Download Dialog Box
Manipulation vulnerability, set Internet Explorer to prompt before running Active
Scripting, or disable
Active Scripting in the Internet and Local Intranet security zones. This
workaround also applies to the COM Object Instantiation Memory Corruption and
the Mismatched Document Object Model Objects Memory Corruption vulnerabilities.
Microsoft’s suggested workaround for the HTTPS Proxy vulnerability is to avoid
using authenticating proxy servers that require Basic Authentication as a proxy
for HTTPS communication.

MS05-055

Microsoft
Security Bulletin MS05-055, “Vulnerability in Windows Kernel Could
Allow Elevation of Privilege,” is a minor elevation of privilege threat
that only affects Windows 2000 SP4. Microsoft has rated this vulnerability as
an important threat.

No workarounds are currently available. However, an attacker
would need valid logon credentials and local access to the network in order to
exploit this vulnerability.

Final word

While I’m hard-pressed to generate much real sympathy for a
multibillionaire—especially someone just named one of the
three Time magazine’s “Persons of the Year” (and very richly
deserved too)—I do have a certain amount of compassion for Bill Gates and
Microsoft, which will always endure criticism for
its patches.

This is an unfortunate industry truth: If a company rushes a
patch, and there’s the slightest problem with it (and who among us has never
made a mistake?), then the company garners criticism for releasing a bad patch.
On the other hand, if a company waits to perform extensive testing on all
aspects of the patch and finally releases a solid patch, then users complain
that the company was too slow to provide a patch.

All I know is that, using standard best practices, I’ve never—not even once—encountered any actual
damage from any of the myriad vulnerabilities discovered and/or patched in
Microsoft code. While I know plenty of people have encountered problems, I can’t
speak for the state of their firewalls, how often they update virus signatures,
or whether they engage in what I would consider risky online behavior.

Also watch for…

  • According
    to CIO Magazine’s third annual Global State of
    Information Security study     of IT security pros from 62 countries, respondents
    experienced more than 2 security incidents each day on average in the past
    12 months. While spending on security is up, it’s still not high enough.
  • Secunia.com
    has disclosed a vulnerability
    in the Opera Web browser    , which is very similar to the recently
    patched Internet Explorer threat. This is a “mouse-click” error,
    which can allow a malicious Web site operator to download and execute
    random code on a computer.
  • Adobe
    has decided to follow Microsoft’s lead and has announced
    plans to begin releasing vulnerability patches     on a monthly basis.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.