The February Microsoft Security Bulletin release was so
large that we had to break coverage into two issues. This one includes
less-than-critical threats to Windows as well as all the newly patched threats
“ASP.NET Path Validation Vulnerability,” is an elevation of privilege and information
disclosure threat. This was being actively exploited at the time the
bulletin was released.
“Vulnerability in Microsoft Office XP,” is a remote code execution threat caused
by a buffer overrun. This is the only critical-rated threat covered in
this issue. It was not being exploited at the time the bulletin was
“Vulnerability in Windows SharePoint Services and SharePoint Team Services
Could Allow Cross-Site Scripting and Spoofing Attacks,” is a remote code
execution vulnerability that was not being exploited at the time the
bulletin was released.
“Vulnerability in Windows Could Allow Information Disclosure,” is a
“named-pipe vulnerability” and no exploits had been seen at the time
the bulletin was released. Named pipes, MSDN
Library Web site, are used by processes which need to communicate with
each other. The vulnerability is due to poor authentication.
“Vulnerability in Windows Shell Could Allow Remote Code Execution,” is a
drag-and-drop vulnerability which is being actively exploited. It is
caused by improper validation of some DHTML (Dynamic HTML) events.
- MS05-004 affects both .NET
Framework 1.0 and 1.1. The affected component is ASP.NET. Note that the
Microsoft Baseline Security Analyzer will NOT report on the need to patch this
vulnerability but a new Enterprise
Update Scanning Tool will assist.
- MS05-005 affects all versions and
service pack releases of Office XP, Project 2002, Visio 2002, Works Suite
2002, 2003, and 2004. Not affected are Office 2000 and 2003. Microsoft
Baseline Security Analyzer (MBSA) will report if this update is required.
- MS05-006 only affects Windows
SharePoint Services for Windows Server 2003 and SharePoint Team Services. Note
that the Microsoft Baseline Security Analyzer will report on the need to
patch some programs for this vulnerability but a new Enterprise Update Scanning
Tool will assist in determining whether software unsupported by MBSA
needs the update.
- MS05-007 only applies to Windows
XP SP1 and SP2, as well as the 64-bit XP Titanium edition. The Microsoft Baseline
Security Analyzer (MBSA) will report if this update is required.
- MS05-008 applies to Windows 2000
SP3 and SP4, XP SP1 and SP2, as well as 64-bit Itanium versions of XP,
Windows Server 2003 including Itanium versions, and Windows 98, 98 SE, and
Me. The Microsoft Baseline Security Analyzer (MBSA) will report if this
update is required.
Risk level – Maximum rating is critical
- MS05-004 is rated important, and
you need to be aware that exploits are being seen in the wild. This
vulnerability carries the Mitre designation – Path Validation
Vulnerability – CAN-2004-0847.
- MS05-005 is rated critical and has
been given the Mitre designation – CAN-2004-0848.
- MS05-006 is only rated moderate
because it only affects uses of SharePoint. This vulnerability carries the
Mitre designation – Cross-site Scripting and Spoofing Vulnerability – CAN-2005-0049.
- MS05-007 is rated important for XP
SP1 but moderate for XP SP2 and carries the Mitre designation – Named Pipe
Vulnerability – CAN-2005-0051.
- MS05-008 carries a not-critical
rating for Windows 98, 98 SE, and Me; an important rating for Windows 2000
and XP; and a moderate rating for Windows Server 2003. This threat has
been assigned the Mitre designation CAN-2005-0053.
- MS05-004, according to Microsoft,
“only affects sites which require authenticated access.”
- MS05-005 can only be exploited if
the user can be persuaded to open a malicious link. This would not occur
automatically unless default settings were altered.
- MS05-006 has a few rather complex
mitigating circumstances; see the bulletin for details.
- MS05-007 is mitigated by best
firewall practices and the fact that the vulnerable Computer Browser
service does not run by default on XP SP2 systems.
- MS05-008 is mitigated by the fact
that most recent and patched versions of Outlook and Outlook Express open
HTML e-mails in the Restricted security zone.
Fix – Apply patches
- MS05-004 can be mitigated by
applying the mitigation code module described in Microsoft Knowledge Base
article 887289 as a
workaround. For other workarounds see the bulletin.
- MS05-005 has a simple workaround
to reduce the threat. In the Tools menu, choose Folder Options | File
Types | Advanced and check Confirm Open After Download. Uncheck Browse In
Same Window, and users will be prompted before code is run. This doesn’t
prevent the user from running it anyway, just prevents automatic
- MS05-006 doesn’t have any
workaround identified by Microsoft.
- MS05-007 can be mitigated using
the Microsoft recommended workaround of disabling the Computer Browser
service. Also, blocking TCP ports 139 and 455 in the firewall will block
attempts by the affected protocol to make a connection. Using the Internet
Connection Firewall, do not enable “File and Printer Sharing for Microsoft
- MS05-008 can be mitigated by
setting your browser to prompt before running ActiveX controls and
plug-ins. You should also set Internet and Local intranet security
settings to High. You can also disable “Drag and Drop or copy and paste
files” in Internet Explorer.
The threats covered by these bulletins are relatively minor,
even the one marked critical. Microsoft has introduced a new tool to assist
managers. Microsoft Knowledge
Base Article 984193 describes the Enterprise Update Scanning Tool.
Based on the discovery of the first Trojan to target the
software (see below) I have deleted Microsoft’s AntiSpyware beta from my
machine. Before you Microsoft bashers start cheering that yet another Microsoft
program carries hidden threats, check out the note below on Symantec security
This slew of critical and less-than-critical security
updates certainly doesn’t do anything to fix Microsoft’s image, but it’s
important to remember that virtually every other vendor has security problems
also. I only point that out because too many people seem to get dangerously
complacent if they avoid Microsoft products and the complacency simply isn’t
Also watch for …
of other antivirus companies took a hit recently as Microsoft’s announced
acquisition of small AV e-mail protection software vendor Sybari Software Inc.
caused everyone to recognize that the Redmond-based giant is serious about
getting into the AV business.
has announced the discovery of the first Trojan (BankAsh) that attacks
the new Microsoft AntiSpyware software which is still in beta.
- ISS-Xforce has discovered a number of high-risk vulnerabilities
in a wide range of Symantec security programs, including those for the
Macintosh platform. Symantec
has provided fixes for the UXP parsing engine overflow.