Yes, Virginia, it's possible to have only one security threat that requires a patch in a Microsoft security bulletin. But the pendulum swings the other way for the Firefox browser, which has seen several critical new threats emerge.
This month's regularly scheduled security bulletin from Microsoft consisted of only one relatively minor patch. Microsoft Security Bulletin MS05-024, "Vulnerability in Web View Could Allow Remote Code Execution," is a script injection vulnerability that could allow a remote attacker to run arbitrary code on a system.
The available patch fixes the problem first reported by GreyMagic on January 18, but I've seen no reports of exploits in the wild. So, while it has some serious potential, it only affects Windows 2000 and earlier systems, so it likely won't apply to many organizations.
In fact, some confusion exists as to whether this threat also applies to Windows 98, Windows SE, and Windows ME—the original report listed only Windows 2000. Microsoft lists these earlier versions as affected, but there is no available update, so the only fix may be an upgrade. Microsoft has rated this vulnerability as important, and it only releases updates for these OS versions for critical security issues.
Meanwhile, Firefox has sprouted more security holes in version 1.0.3, which Mozilla rushed out to fix holes in 1.0.2. The French Security Incident Response Team was apparently the first to find the new major flaw in Firefox 1.0.3, which is a remote code execution threat. Secunia also lists new Firefox vulnerabilities in Advisory 15292 (CAN-2005-1476 and CAN-2005-1477).
Mozilla has released Firefox 1.0.4 to address these issues. Exploits are already circulating, so this upgrade is essential. Version 1.0.4 includes the following security fixes:
- MFSA 2005-44: Privilege escalation via non-DOM property overrides
Microsoft Security Bulletin MS05-024 applies primarily to Windows 2000, service packs 3 and 4 only.
The Firefox threat applies to all versions prior to 1.0.4. Mozilla 1.7.7 users should also check to see if they need to update to Mozilla 1.7.8.
Risk level – Important to highly critical
The Microsoft threat is relatively minor; however, the new holes in Firefox are very serious.
To obtain the necessary patch for Windows, check out Microsoft Security Bulletin MS05-024.
Firefox users should bookmark the Mozilla Firefox Release Notes Web page, which always lists the latest versions (currently Firefox 1.0.4).
OK, some of you will accuse me of being a Microsoft flunky, but I wouldn't be doing my job if I failed to point out that we're seeing more and more serious—even critical—vulnerabilities emerge in Firefox, a browser whose main selling point is that it's much more secure than Internet Explorer.
But let's face it: One major reason many open source programs appear to be much more secure is simply because they're not as big a target. Microsoft has traditionally been the biggest target for attackers. However, as more and more people begin to swarm to Linux, Firefox, and other open source tools, hackers will also turn their attention to these programs and begin to find exploits.
Everyone has been touting Firefox's security. But now it turns out to be little more secure than IE, especially when you take the time to lock IE down correctly. If you don't like ActiveX—and who does?—turn it off!
I'm not picking on open source; I think the folks at Mozilla have done all of us a great service. I use Firefox myself—I just use it without the anti-Microsoft blinders on.
And I'm not saying that Microsoft does any better on the security front. I just want to remind everyone who makes a living in software security that they can't place their clients and employers at risk exclusively on the basis that some open source program is more secure only because it hasn't seen wide use.
Developing software is hard. People have forgotten how hard it is because of all the object-oriented tools that make it look easy. But real commercial-grade code-crunching is very difficult, and making sure certain millions of lines of code are not only perfect—but also don't point to some hole-ridden library—is simply impossible.
And, in response to those who argue that open source programs receive patches more quickly: In both the corporate and government arenas, patching is a major headache and expense. The fact that patches are available more quickly doesn't add any more dollars to the budget or time on the clock to install these patches. I applaud fast patching, but it isn't that important to those of us who would prefer something that just never needs patching—that's where the real time and money savings would come in.
I look forward to reading other views in this article's discussion, but don't forget the importance of the bottom line, or that Mozilla.org—not me, not Secunia—lists a lot of critical flaws in all versions of Firefox through 1.0.3.
Also watch for …
- A new entry in Microsoft's extremely limited malware battle, the Malicious Software Removal Tool (MSRT), is now available for download. This update is a monthly occurrence for this tool, when Microsoft adds one or two new pieces of malware to the tool's removal database. This month's addition is Sdbot. While MSRT is fine, I find it hardly worth the effort because it deals with so few problems, and most readers should already have a good antivirus tool or two in their toolkit.
- Microsoft has announced a new bug notification service, dubbed Microsoft Security Advisories, in an effort to confirm reports of flaws and provide a workaround until a patch is available.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.