Microsoft releases one security bulletin for November

After releasing nine security bulletins in October, Microsoft scaled back this month and released only one security bulletin. But don't let the 'cutback' fool you—MS05-053 addresses several vulnerabilities, two of which are critical. Get the details in this edition of the IT Locksmith.

Redmond stuck to its schedule this month and released its expected
security update on the expected date. After an embarrassment of riches in
October, when
the software giant released nine security bulletins, Microsoft scaled back
in November and released just one. However, the bulletin addresses several
vulnerabilities, two of which are critical.

Details

Microsoft’s security department kept to its schedule this
month and released one security bulletin for the regularly scheduled November 8
deadline. Microsoft
Security Bulletin MS05-053, “Vulnerabilities in Graphics Rendering
Engine Could Allow Code Execution,” addresses some new individual
vulnerabilities as well as replaces both MS03-045 and MS05-002 for
Windows XP Service Pack1 only.

MS05-053 addresses the following vulnerabilities:

Graphics Rendering Engine vulnerability:
This is a remote code execution threat caused by a buffer overrun in the
Windows Metafile and Enhanced Metafile image rendering engine (CAN-2005-2123).
As of November 14, there have been no reports of exploits in the wild.
Researchers had disclosed none of these vulnerabilities publicly prior to
the release of the update.
Windows Metafile vulnerability: This
is also a remote code execution threat caused by an unchecked buffer in
the Windows Metafile image rendering engine (CAN-2005-2124).
As of November 14, there have been no reports of
exploits in the wild. Researchers had disclosed none of these
vulnerabilities publicly prior to the release of the update.
Enhanced Metafile vulnerability: This
is a denial of service threat with a maximum severity rating of moderate (CAN-2005-0803).
The culprit is an unchecked buffer in the Enhanced Metafile image
rendering engine. While proof of concept code has appeared on the
Internet, Microsoft reports that it hasn’t received any notification of
actual attacks based on this vulnerability.

Microsoft Baseline Security Analyzer (MBSA) 1.2.1 and MBSA
2.0 will indicate if this update is necessary. In addition, Systems Management
Server (SMS) will also detect whether the update is required and can help
deploy this update.

Applicability

The threats generally affect Windows 2000 and later
versions, including the 64-bit and Itanium editions.

The Graphics Rendering Engine vulnerability affects the
following:

Windows
2000 SP4
All
versions of Windows XP
All
versions of Windows Server 2003

The Windows Metafile vulnerability and the Enhanced Metafile
vulnerability affect the following:

Windows
2000 SP4
Windows
XP SP1 (but not Windows XP SP2)
Windows
Server 2003 (but not Windows
Server 2003 SP1)

Risk level

Microsoft rates the Graphics Rendering Engine vulnerability as
critical for all affected platforms. The Windows Metafile vulnerability is a critical
threat for Windows 2000 SP4, Windows XP SP1, and Windows Server 2003; however,
it is not a threat for Windows XP SP2 and Windows Server 2003 SP1.

The Enhanced Metafile vulnerability is only a moderate threat
for Windows 2000 SP4, Windows XP SP1, and Windows Server 2003. This
vulnerability poses no threat to Windows XP SP2 or Windows Server 2003 SP1. The
severity ratings are the same for comparable 64-bit and Itanium-based versions.

Mitigating factors

Again, fully updated Windows XP and Windows Server 2003
operating systems are not vulnerable to two of the three threats included in
this security bulletin. In addition, best practices—such as not randomly visiting
strange Web sites and using e-mail only in text mode—can eliminate the threat
from the critical Graphics Rendering Engine vulnerability. However, these best
practices don’t protect you from an embedded image in an Office document, but
you can mitigate that threat by not opening documents from untrusted sources.

Fix

Install the update. According to Microsoft, fix the message
length verification so it isn’t as likely to cause other problems as more major
patches sometimes do.

As a workaround for the most serious threat, the Graphics Rendering
engine vulnerability, avoid untrusted Web sites that may contain malicious
graphics files, and open all e-mails in text mode.

Final word

There’s certain to be the usual flurry of complaints about
Microsoft concerning this security bulletin, but it’s only fair to point out
that anyone following best practices—and enforcing those practices among the
users they support—would probably have little exposure to these threats. It’s
sort of like having your identity stolen because you fell for a phishing
scheme: You mostly have yourself to blame even though it makes you feel better
to blame the vendor.

Although this patch is less likely to have unintended
consequences than some of the major patches, keep in mind that any alteration to your system software
has the potential to cause a problem with some poorly written application.
Therefore, whenever possible, fully test any patch before installing it on a
mission-critical system.

In other news, the European Union, China, and the United
Nations are challenging ICANN and U.S. dominance of the Internet. The groups are
calling for more international control over the naming of domains and so forth—in
other words, the ability to censor just who and what goes on the Web.

And that’s the topic for discussion this week: How do you
feel about the way ICANN has managed the Internet—and especially freedom of speech—on
the Web? Do you think China or the European Union would do a better job? And
what do you think about just giving control of the Internet to the U.N.? After
all, it has a lot of experience managing the world by committee—just look at the
fine job the Security Council has done keeping peace in the world and
administering the oil-for-food program in Iraq. Would you like to see it do the
same kind of job on managing the Internet?

Also watch for…

While
we’re still in a relatively quiet malware period, it’s important to note
that a new
Linux worm has surfaced. Lupper plants a backdoor on infected systems on
UDP port 7222, and it degrades network performance by trying to find other
Linux systems to infect on the Web. Since this is a backdoor threat, Symantec
recommends that if you detect Lupper, reinstall the operating system
to clean out any other changes that someone exploiting the backdoor may
have made.
Microsoft
has published Security
Advisory 910550, which addresses the Macromedia
Flash Player 7 vulnerability, because many Microsoft operating systems
include Flash Player. For more information, see the Macromedia Security Bulletin.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

PURPOSE These guidelines from TechRepublic Premium will help you define the necessary ingredients of a security policy and assist in its proper construction. They’re designed to work hand in hand with the subjective knowledge you have of your company, environment and employees. Using this information, your business can establish new policies or elaborate on those ...

Microsoft releases one security bulletin for November