The February Microsoft Security Bulletin release was so
large that we had to break coverage into two issues. This one includes
less-than-critical threats to Windows as well as all the newly patched threats
to Office.

Details

  • MS05-004,
    “ASP.NET Path Validation Vulnerability,” is an elevation of privilege and information
    disclosure threat. This was being actively exploited at the time the
    bulletin was released.
  • MS05-005,
    “Vulnerability in Microsoft Office XP,” is a remote code execution threat caused
    by a buffer overrun. This is the only critical-rated threat covered in
    this issue. It was not being exploited at the time the bulletin was
    released.
  • MS05-006,
    “Vulnerability in Windows SharePoint Services and SharePoint Team Services
    Could Allow Cross-Site Scripting and Spoofing Attacks,” is a remote code
    execution vulnerability that was not being exploited at the time the
    bulletin was released.
  • MS05-007,
    “Vulnerability in Windows Could Allow Information Disclosure,” is a
    “named-pipe vulnerability” and no exploits had been seen at the time
    the bulletin was released. Named pipes, MSDN
    Library Web site    , are used by processes which need to communicate with
    each other. The vulnerability is due to poor authentication.
  • MS05-008,
    “Vulnerability in Windows Shell Could Allow Remote Code Execution,” is a
    drag-and-drop vulnerability which is being actively exploited. It is
    caused by improper validation of some DHTML (Dynamic HTML) events.

Applicability

  • MS05-004 affects both .NET
    Framework 1.0 and 1.1. The affected component is ASP.NET. Note that the
    Microsoft Baseline Security Analyzer will NOT report on the need to patch this
    vulnerability but a new Enterprise
    Update Scanning Tool     will assist.
  • MS05-005 affects all versions and
    service pack releases of Office XP, Project 2002, Visio 2002, Works Suite
    2002, 2003, and 2004. Not affected are Office 2000 and 2003. Microsoft
    Baseline Security Analyzer (MBSA) will report if this update is required.
  • MS05-006 only affects Windows
    SharePoint Services for Windows Server 2003 and SharePoint Team Services. Note
    that the Microsoft Baseline Security Analyzer will report on the need to
    patch some programs for this vulnerability but a new Enterprise Update Scanning
    Tool     will assist in determining whether software unsupported by MBSA
    needs the update.
  • MS05-007 only applies to Windows
    XP SP1 and SP2, as well as the 64-bit XP Titanium edition. The Microsoft Baseline
    Security Analyzer (MBSA) will report if this update is required.
  • MS05-008 applies to Windows 2000
    SP3 and SP4, XP SP1 and SP2, as well as 64-bit Itanium versions of XP,
    Windows Server 2003 including Itanium versions, and Windows 98, 98 SE, and
    Me. The Microsoft Baseline Security Analyzer (MBSA) will report if this
    update is required.

Risk level – Maximum rating is critical

  • MS05-004 is rated important, and
    you need to be aware that exploits are being seen in the wild. This
    vulnerability carries the Mitre designation – Path Validation
    Vulnerability – CAN-2004-0847.
  • MS05-005 is rated critical and has
    been given the Mitre designation – CAN-2004-0848.
  • MS05-006 is only rated moderate
    because it only affects uses of SharePoint. This vulnerability carries the
    Mitre designation – Cross-site Scripting and Spoofing Vulnerability – CAN-2005-0049.
  • MS05-007 is rated important for XP
    SP1 but moderate for XP SP2 and carries the Mitre designation – Named Pipe
    Vulnerability – CAN-2005-0051.
  • MS05-008 carries a not-critical
    rating for Windows 98, 98 SE, and Me; an important rating for Windows 2000
    and XP; and a moderate rating for Windows Server 2003. This threat has
    been assigned the Mitre designation CAN-2005-0053.

Mitigating factors

  • MS05-004, according to Microsoft,
    “only affects sites which require authenticated access.”
  • MS05-005 can only be exploited if
    the user can be persuaded to open a malicious link. This would not occur
    automatically unless default settings were altered.
  • MS05-006 has a few rather complex
    mitigating circumstances; see the bulletin for details.
  • MS05-007 is mitigated by best
    firewall practices and the fact that the vulnerable Computer Browser
    service does not run by default on XP SP2 systems.
  • MS05-008 is mitigated by the fact
    that most recent and patched versions of Outlook and Outlook Express open
    HTML e-mails in the Restricted security zone.

Fix – Apply patches

  • MS05-004 can be mitigated by
    applying the mitigation code module described in Microsoft Knowledge Base
    article 887289 as a
    workaround. For other workarounds see the bulletin.
  • MS05-005 has a simple workaround
    to reduce the threat. In the Tools menu, choose Folder Options | File
    Types | Advanced and check Confirm Open After Download. Uncheck Browse In
    Same Window, and users will be prompted before code is run. This doesn’t
    prevent the user from running it anyway, just prevents automatic
    infection.
  • MS05-006 doesn’t have any
    workaround identified by Microsoft.
  • MS05-007 can be mitigated using
    the Microsoft recommended workaround of disabling the Computer Browser
    service. Also, blocking TCP ports 139 and 455 in the firewall will block
    attempts by the affected protocol to make a connection. Using the Internet
    Connection Firewall, do not enable “File and Printer Sharing for Microsoft
    Networks.”
  • MS05-008 can be mitigated by
    setting your browser to prompt before running ActiveX controls and
    plug-ins. You should also set Internet and Local intranet security
    settings to High. You can also disable “Drag and Drop or copy and paste
    files” in Internet Explorer.

Final word

The threats covered by these bulletins are relatively minor,
even the one marked critical. Microsoft has introduced a new tool to assist
managers. Microsoft Knowledge
Base Article 984193 describes the Enterprise Update Scanning Tool.

Based on the discovery of the first Trojan to target the
software (see below) I have deleted Microsoft’s AntiSpyware beta from my
machine. Before you Microsoft bashers start cheering that yet another Microsoft
program carries hidden threats, check out the note below on Symantec security
product vulnerabilities.

This slew of critical and less-than-critical security
updates certainly doesn’t do anything to fix Microsoft’s image, but it’s
important to remember that virtually every other vendor has security problems
also. I only point that out because too many people seem to get dangerously
complacent if they avoid Microsoft products and the complacency simply isn’t
justified.

Also watch for …

  • Stocks
    of other antivirus companies took a hit recently as Microsoft’s announced
    acquisition of small AV e-mail protection software vendor Sybari Software Inc.
    caused everyone to recognize that the Redmond-based giant is serious about
    getting into the AV business.
  • Sophos
    has announced     the discovery of the first Trojan (BankAsh) that attacks
    the new Microsoft AntiSpyware software which is still in beta.
  • ISS-Xforce has discovered a number of high-risk vulnerabilities
    in a wide range of Symantec security programs, including those for the
    Macintosh platform. Symantec
    has provided fixes for the UXP parsing engine overflow    .