Yes, Virginia, it’s possible to have only one security threat that requires a
patch in a Microsoft security bulletin. But the pendulum swings the other way
for the Firefox browser, which has seen several critical new threats emerge.

Details

This month’s regularly scheduled security bulletin from
Microsoft consisted of only one relatively minor patch. Microsoft Security
Bulletin MS05-024, “Vulnerability in Web View Could Allow Remote Code
Execution,” is a script injection vulnerability that could allow a remote
attacker to run arbitrary code on a system.

The available patch fixes the problem first reported by
GreyMagic on January 18, but I’ve seen no reports of exploits in the wild. So,
while it has some serious potential, it only affects Windows 2000 and earlier
systems, so it likely won’t apply to many organizations.

In fact, some confusion exists as to whether this threat
also applies to Windows 98, Windows SE, and Windows ME—the original report listed
only Windows 2000. Microsoft lists these earlier versions as affected, but
there is no available update, so the only fix may be an upgrade. Microsoft has
rated this vulnerability as important, and it only releases updates for these
OS versions for critical security issues.

Meanwhile, Firefox has sprouted more security holes in
version 1.0.3, which Mozilla rushed out to fix holes in 1.0.2. The French Security
Incident Response Team was apparently the first to find the new major flaw in Firefox
1.0.3, which is a remote code execution threat. Secunia also lists new
Firefox vulnerabilities in Advisory
15292 (CAN-2005-1476 and CAN-2005-1477).

Mozilla has released Firefox 1.0.4 to address these issues. Exploits
are already circulating, so this upgrade is essential. Version 1.0.4 includes
the following security fixes:

  • MFSA 2005-44:
    Privilege escalation via non-DOM property overrides
  • MFSA 2005-43:
    “Wrapped” JavaScript: URLs bypass security checks
  • MFSA 2005-42:
    Code execution via JavaScript: IconURL

Applicability

Microsoft Security Bulletin MS05-024 applies primarily to
Windows 2000, service packs 3 and 4 only.

The Firefox threat applies to all versions prior to 1.0.4. Mozilla
1.7.7 users should also check to see if they need to update to Mozilla
1.7.8.

Risk level – Important to highly critical

The Microsoft threat is relatively minor; however, the new
holes in Firefox are very serious.

Fix

To obtain the necessary patch for Windows, check out Microsoft
Security Bulletin MS05-024.

Firefox users should bookmark the Mozilla Firefox
Release Notes Web page, which always lists the latest versions (currently
Firefox 1.0.4).

Final word

OK, some of you will accuse me of being a Microsoft flunky,
but I wouldn’t be doing my job if I failed to point out that we’re seeing more
and more serious—even critical—vulnerabilities emerge in Firefox, a browser
whose main selling point is that it’s much more secure than Internet Explorer.

But let’s face it: One major reason many open source
programs appear to be much more secure is simply because they’re not as big a
target. Microsoft has traditionally been the biggest target for attackers.
However, as more and more people begin to swarm to Linux, Firefox, and other
open source tools, hackers will also turn their attention to these programs and
begin to find exploits.

Everyone has been touting Firefox’s security. But now it
turns out to be little more secure than IE, especially when you take the time
to lock IE down correctly. If you don’t like ActiveX—and who does?—turn it off!

I’m not picking on open source; I think the folks at Mozilla
have done all of us a great service. I use Firefox myself—I just use it without
the anti-Microsoft blinders on.

And I’m not saying that Microsoft does any better on the
security front. I just want to remind everyone who makes a living in software
security that they can’t place their clients and employers at risk exclusively on the basis that some open
source program is more secure only because it hasn’t seen wide use.

Developing software is hard. People have forgotten how hard
it is because of all the object-oriented tools that make it look easy. But real
commercial-grade code-crunching is very difficult, and making sure certain
millions of lines of code are not only perfect—but also don’t point to some hole-ridden
library—is simply impossible.

And, in response to those who argue that open source programs
receive patches more quickly: In both the corporate and government arenas, patching
is a major headache and expense. The fact that patches are available more quickly
doesn’t add any more dollars to the budget or time on the clock to install these
patches. I applaud fast patching, but it isn’t that important to those of us
who would prefer something that just never needs patching—that’s where the real
time and money savings would come in.

I look forward to reading other views in this article’s
discussion, but don’t forget the importance of the bottom line, or that
Mozilla.org—not me, not Secunia—lists a lot of critical flaws in all versions
of Firefox through 1.0.3.

Also watch for …

  • A new
    entry in Microsoft’s extremely limited malware battle, the Malicious
    Software Removal Tool (MSRT), is now available
    for download    . This update is a monthly occurrence for this tool, when
    Microsoft adds one or two new pieces of malware to the tool’s removal
    database. This month’s addition is Sdbot. While MSRT is fine, I find it
    hardly worth the effort because it deals with so few problems, and most readers
    should already have a good antivirus tool or two in their toolkit.
  • Microsoft
    has announced a new bug notification service, dubbed
    Microsoft Security Advisories    , in an effort to confirm reports of
    flaws and provide a workaround until a patch is available.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.