After
releasing only three security bulletins in July, Microsoft is ramping back up
with the release of six security bulletins for August. However, only three
updates are critical. Of the critical security bulletins, only one has seen
active exploitation so far.

Details

Microsoft released six security bulletins
for August and has rated three of them as critical: MS05-038, MS05-039, and
MS05-043. However, only one update (MS05-038) is currently under attack.

Redmond has deemed the remaining three security bulletins—MS05-040,
MS05-041,
and MS05-042—as
important and moderate threats. I’ll focus on the
critical bulletins in this issue, and I’ll bring you up to speed on the
remaining updates in my next column.

Microsoft also updated MS05-030
this month to reflect the fact that it isn’t a cumulative update—and does not supersede MS04-018.
In addition, it rereleased two earlier security bulletins: MS05-023 and MS05-032.

MS05-038

Microsoft
Security Bulletin MS05-038, “Cumulative Security Update for Internet
Explorer,” includes hot fixes released since Microsoft Security Bulletins MS04-004 or MS04-025 (both released
last year). However, the update will only install those hot fixes on systems
that haven’t already received them.

Some of the patched vulnerabilities are remote code
execution threats. And in addition to including earlier updates, this bulletin also
includes patches for several newly discovered vulnerabilities in IE:

  • JPEG
    Image Rendering Memory Corruption Vulnerability (CAN-2005-1988):
    While publicly known, no exploits of this vulnerability have surfaced in
    the wild as of the release date for the patch.
  • Web
    Folder Behaviors Cross-Domain Vulnerability (CAN-2005-1989):
    This vulnerability is a new, privately reported threat that hasn’t yet
    surfaced in the wild.
  • COM
    Object Instantiation Memory Corruption Vulnerability (CAN-2005-1990):
    Portions of this threat were public knowledge, and there have been reports
    of exploits in the wild.

Applicability

  • Internet
    Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
  • IE 5.5
    SP2 on Windows ME
  • IE 6 on
    Windows XP SP2
  • IE 6
    SP1 on all systems prior to Windows Server 2003
  • IE 6 for
    all versions of Windows Server 2003 (including the 64-bit edition)

Some of the threats addressed by this bulletin don’t affect Windows
98 versions, but these versions are critically vulnerable to others. In
particular, the COM object memory threat critically affects Windows 98, Windows
SE, and Windows ME.

Microsoft Baseline Security Analyzer (MBSA) 1.2.1 and 2.0
will indicate if portions of this set of patches are necessary, but MBSA
doesn’t appear to catch all of the components. Systems Management Server (SMS)
can also detect whether portions of this update are necessary, and it can
perform the update for only some of the components if necessary.

Risk level
The COM Object Instantiation Memory Corruption Vulnerability is a critical
remote code execution threat for all affected systems except IE 6 on Windows Server 2003. Furthermore, exploits of this
threat have surfaced in the wild.

The JPEG Image Rendering Memory Corruption Vulnerability is a
critical threat for all affected versions. The Web Folder Behaviors
Cross-Domain Vulnerability is only a moderate to low threat to systems.

Mitigating factors
While the JPEG vulnerability is critical for all affected versions, Windows
Server 2003 runs in an enhanced security mode by default, which reduces the
risk.

Using the best practice of opening HTML e-mails in a
restricted security zone will help mitigate the Web folder threat, and some
versions do this by default. By default, Windows Server 2003 and Windows XP SP2
both run in an enhanced security mode, which reduces the risk from this threat.

Fix
Install the updates. As a workaround for the Web folder vulnerability, don’t
open or view e-mails in HTML, configure IE to run in
the High security mode for both the Internet and Local Intranet zones, and set
the system to prompt the user before running ActiveX controls—or simply disable
them.

This cumulative patch will change some functionality in IE—both
those related to security and others included in earlier updates that don’t
involve vulnerabilities. Specifically, installation of the patches will disable
arbitrary system monikers in OBJECT tags. It will also restrict the Favorites functionality
and set some kill bits in ActiveX controls. For more information, read the
security bulletin if this is a concern.

MS05-039

Microsoft
Security Bulletin MS05-039, “Vulnerability in Plug and Play Could
Allow Remote Code Execution and Elevation of Privilege,” addresses a PnP vulnerability
that’s a remote code execution threat (CAN-2005-1983).
This is a new, privately reported threat that hasn’t yet surfaced in the wild.

Applicability

  • Windows
    2000 SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)

Due to the inclusion of the Internet Connection Firewall
(ICF) and later firewall versions in current Windows XP versions, the major
threat from this vulnerability is to those running Windows 2000. This
vulnerability does not affect Windows 98, Windows SE, and Windows ME.

Note: Microsoft
warns that Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange
(SPX) protocols may also be vulnerable to this threat.

MSBA 1.2.1 and 2.0 will detect
whether an update is necessary. SMS can detect the problem and help deploy the
update.

Risk level
Microsoft has rated this threat as critical for Windows 2000 systems. It is
only a moderate threat for Windows XP and Windows Server 2003 systems.

Mitigating factors
Using firewall best practices to configure firewall settings should block this
attack. In addition, an attacker would need valid logon information to
penetrate a system.

Fix
Install the updates. As a workaround, block TCP ports 139 and 445 at the
firewall, and enable advanced TCP/IP filtering where practical.

MS05-043

Microsoft
Security Bulletin MS05-043, “Vulnerability in Print Spooler Service
Could Allow Remote Code Execution,” addresses a privately reported
vulnerability. No exploits have surfaced in the wild.

Applicability

  • Windows
    2000 SP4
  • Windows
    XP SP1 and SP2
  • Windows
    Server 2003
  • Microsoft
    Windows Server 2003 for Itanium-based Systems

MSBA 1.2.1 and 2.0 will detect
whether an update is necessary. SMS can detect the problem and help deploy the
update.

Risk level
This is a critical threat for Windows 2000 and Windows XP SP1. However, it’s only
a moderate threat for Windows XP SP2 and Windows Server 2003 systems, partially
because it would likely only trigger a denial-of-service attack on those
systems.

Mitigating factors
Windows XP SP2 and Windows Server 2003 are only vulnerable to attacks from
authorized users. Using firewall best practices should protect all systems from
outside attacks.

Fix
Install the updates. As a workaround, disable the Print Spooler service. On
Windows 2000 systems, you can edit the registry to remove the Print Spooler
service from the NullSessionPipes registry key. For instructions on both
workarounds, read the security bulletin.

Final word

Whew! That pretty
much leaves no space for any other threats in this edition, but I haven’t seen
anything else out there that’s particularly dangerous, and no exploits have
surfaced. And it’s fortunate that no one seems to be exploiting the JPEG vulnerability
yet because it would trigger just from viewing the malware-infected image.

On a final note, Microsoft has reached an agreement with major
spammer Scott Richter, resulting in a $7 million payment to the company,
which will use the funds
to help fight computer-related crimes. While this could make a dent in the
junk mail traffic, it’s more likely that someone overseas—and therefore outside
the reach of U.S. law—will just fill his shoes. Remember, spam isn’t even
illegal in several countries.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.