‘Tis the season for giving, and Microsoft has caught the
spirit: The software giant beat Santa to the punch this year and gifted users
with two Microsoft patches.
With the release of Microsoft Security Bulletin MS05-054,
Redmond offered users an early gift this season by finally fixing a critical
vulnerability that has been lurking in the
Internet Explorer browser for more than six months. To round out the
software maker’s monthly updates, Microsoft also released Security Bulletin
MS05-055, which addresses a somewhat minor threat in Windows 2000.
Security Bulletin MS05-054, “Cumulative Security Update for Internet
Explorer,” includes a fix for the long-unpatched
vulnerability that has generated so much negative
publicity for Microsoft in recent weeks. MS05-054 replaces Microsoft Security
Bulletin MS05-052 for all affected platforms.
This security bulletin addresses four vulnerabilities:
Download Dialog Box Manipulation vulnerability: This is a remote code
execution threat (CAN-2005-2829).
Proxy vulnerability: This poses an information disclosure threat (CAN-2005-2830).
Object Instantiation Memory Corruption vulnerability: This is another
remote code execution threat (CAN-2005-2831).
Document Object Model Objects Memory Corruption vulnerability: This is
another remote code execution threat (CAN-2005-1790).
2000 Service Pack 4
versions of Windows XP
versions of Windows Server 2003
98, Windows SE, and Windows ME
The cumulative threat level is critical for all vulnerable
platforms—with one exception. This is only a moderate threat for Internet
Explorer 6 running on versions of Windows Server 2003. This applies to the COM
Object Instantiation Memory Corruption and the Mismatched Document Object Model
Objects Memory Corruption vulnerabilities.
The File Download Dialog Box Manipulation and the HTTPS
Proxy vulnerabilities are a moderate threat for all affected systems. However, the
File Download Dialog Box Manipulation vulnerability is only a low threat for IE
6 running on versions of Windows Server 2003.
For the File Download Dialog Box Manipulation vulnerability,
opening HTML e-mail messages in the Restricted security zone (which Outlook
Express 6, Outlook 2002, and Outlook 2003 do) can reduce or eliminate the
threat. This security best practice can also help reduce or eliminate the
threat for the COM Object Instantiation Memory Corruption and the Mismatched Document
Object Model Objects Memory Corruption vulnerabilities. The HTTPS Proxy vulnerability
is a local network attack, and the information disclosed would probably be
Install the update. The best workarounds for browser threats
are using common sense, avoiding unknown and/or untrusted sites, and not opening
e-mails from unknown sources.
As a workaround for the File Download Dialog Box
Manipulation vulnerability, set Internet Explorer to prompt before running Active
Scripting, or disable
Active Scripting in the Internet and Local Intranet security zones. This
workaround also applies to the COM Object Instantiation Memory Corruption and
the Mismatched Document Object Model Objects Memory Corruption vulnerabilities.
Microsoft’s suggested workaround for the HTTPS Proxy vulnerability is to avoid
using authenticating proxy servers that require Basic Authentication as a proxy
for HTTPS communication.
Security Bulletin MS05-055, “Vulnerability in Windows Kernel Could
Allow Elevation of Privilege,” is a minor elevation of privilege threat
that only affects Windows 2000 SP4. Microsoft has rated this vulnerability as
an important threat.
No workarounds are currently available. However, an attacker
would need valid logon credentials and local access to the network in order to
exploit this vulnerability.
While I’m hard-pressed to generate much real sympathy for a
multibillionaire—especially someone just named one of the
three Time magazine’s “Persons of the Year” (and very richly
deserved too)—I do have a certain amount of compassion for Bill Gates and
Microsoft, which will always endure criticism for
This is an unfortunate industry truth: If a company rushes a
patch, and there’s the slightest problem with it (and who among us has never
made a mistake?), then the company garners criticism for releasing a bad patch.
On the other hand, if a company waits to perform extensive testing on all
aspects of the patch and finally releases a solid patch, then users complain
that the company was too slow to provide a patch.
All I know is that, using standard best practices, I’ve never—not even once—encountered any actual
damage from any of the myriad vulnerabilities discovered and/or patched in
Microsoft code. While I know plenty of people have encountered problems, I can’t
speak for the state of their firewalls, how often they update virus signatures,
or whether they engage in what I would consider risky online behavior.
Also watch for…
to CIO Magazine’s third annual Global State of
Information Security study of IT security pros from 62 countries, respondents
experienced more than 2 security incidents each day on average in the past
12 months. While spending on security is up, it’s still not high enough.
has disclosed a vulnerability
in the Opera Web browser, which is very similar to the recently
patched Internet Explorer threat. This is a “mouse-click” error,
which can allow a malicious Web site operator to download and execute
random code on a computer.
has decided to follow Microsoft’s lead and has announced
plans to begin releasing vulnerability patches on a monthly basis.
Miss a column?
Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.
Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.