After releasing 10 security bulletins in June, Microsoft
appears to be back to enjoying the summer. The software giant released only
three security bulletins for July. While rated critical, none of the updates
appear to pose highly dangerous threats, and only one has seen active
exploitation so far.

Details

Microsoft released three security bulletins for July:
MS05-035, MS05-036, and MS05-037. However, of the three critical bulletins that
address remote code execution threats, only one really appears important at the
moment.

In addition, MS05-033
recently underwent a major revision (version 2.0). The change isn’t due to any
problem discovered in the initial release; it’s simply a notification of the
availability of a security update for Services for UNIX 2.0 and Services for
UNIX 2.1.

MS05-035

Microsoft
Security Bulletin MS05-035, “Vulnerability in Microsoft Word Could
Allow Remote Code Execution,” which replaces MS05-023,
is probably the most important of the three bulletins. (However, Microsoft has
rated this threat as critical only for Word 2000.) The font-parsing
vulnerability can permit remote code execution in some circumstances (CAN-2005-0564).

This is a newly discovered, not publicly disclosed
vulnerability. According to Microsoft, no one is currently exploiting it in the
wild.

Applicability

  • Word
    2000
  • Word
    2002
  • Microsoft
    Works Suite 2000
  • Microsoft
    Works Suite 2001
  • Microsoft
    Works Suite 2002
  • Microsoft
    Works Suite 2003
  • Microsoft
    Works Suite 2004

Word 2003 and Word 2003 Viewer are not vulnerable. Microsoft
hasn’t tested versions earlier than Word 2000 for this vulnerability.

Risk level
Microsoft has rated this vulnerability as critical for Microsoft Word 2000 and all
affected versions of Microsoft Works Suite. Microsoft has rated it an important
threat for Word 2002.

Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following
the best practice of running the application with the lowest possible privilege
helps reduce the threat. In addition, a user must actually open the message in
Word; merely opening an e-mail that has the malicious attachment won’t trigger
the attack.

Fix
Apply the update. The Microsoft
Baseline Security Analyzer (MBSA) 1.2.1 will report if an update is necessary.
MBSA 2.0 will also detect the problem; however, it doesn’t support Microsoft Office
2000. The Systems Management Server (SMS) does detect the problem in some
instances, and it can deploy the update. As a workaround, don’t open Word
documents from an unknown source.

MS05-036

Microsoft
Security Bulletin MS05-036, “Vulnerability in Microsoft Color
Management Module Could Allow Remote Code Execution,” gets a high-risk
rating because the threat allows remote code execution and would be difficult
to detect (CAN-2005-1219).

This is due to a flaw in the way the module handles
International Color Consortium (ICC) profile format tag validation. It requires
a would-be attacker to generate a special image file that he or she could place
on a Web site or in an e-mail attachment.

Applicability

  • Windows
    2000 Service Pack 4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

Other versions, such as Windows NT, are vulnerable, but Microsoft
no longer supports them.

Risk level
For Windows 98, Windows SE, and Windows ME, Microsoft has rated MS05-036 as an
important threat. It is a critical threat for all affected systems.

Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following
the best practice of running the application with the lowest possible privilege
helps reduce the threat. In addition, a user must visit a malicious Web site.

Fix
Apply the update. MSBA 1.2.1 and 2.0 will detect whether an update is necessary.
SMS can detect the problem and help deploy the update. According to Microsoft,
there are no known workarounds.

MS05-037

Microsoft
Security Bulletin MS05-037, “Vulnerability in JView Profiler Could
Allow Remote Code Execution,” is a new, publicly known vulnerability in
Internet Explorer related to the JView Profiler COM object Javaprxy.dll (CAN-2005-2087).
While this is a newly discovered vulnerability, attackers are actively exploiting it as this time.

Applicability

  • Internet
    Explorer 5.01 SP4
  • Internet
    Explorer 6
  • Internet
    Explorer 6 SP1
  • Internet
    Explorer 5.5 SP2

Risk level
MS05-037 is a critical threat for all affected versions except for IE 6 for Windows
Server 2003 and Windows Server 2003 SP1. For these versions, it is only a
moderate threat.

Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following
the best practice of running the application with the lowest possible privilege
helps reduce the threat.

IE’s Restricted Sites Zone should block an attempted attack
in HTML e-mails. The only other way to conduct an attack is to entice the user
to a malicious Web site.

In addition, the Microsoft Java Virtual Machine (JVM) is not
part of the default installation for Windows XP SP1, Windows XP SP2, Windows
Server 2003, or Windows Server 2003 SP1.

Fix
Apply the update. MSBA 1.2.1 and 2.0 will detect whether an update is necessary.
SMS can detect the problem and help deploy the update.

Updated in July, Microsoft
Security Advisory 903144, “A COM Object (Javaprxy.dll) Could Cause
Internet Explorer to Unexpectedly Exit,” fixed this problem. If you
applied the advisory’s patch, you can ignore this bulletin. The patch, which sets
a kill bit, doesn’t alter the operation of the software.

As a workaround, change IE’s Internet and intranet security
zone settings to high, which causes IE to prompt the user before running
ActiveX code. You can also just disable ActiveX controls.

Another workaround is to disable Javaprxy.dll, which blocks the
use of Java code. You can find instructions for this method as well as
additional ways to restrict JVM to eliminate the threat in the security bulletin.

Final word

I must admit that MS05-036, the Color Management Module threat,
has somewhat confused me: Microsoft states both that it isn’t a publicly known threat
but that attackers are actively exploiting it. Somehow that doesn’t quite make
sense to me—but it could just be a minor editing glitch.

The impact of the other two threats doesn’t appear too great
to me. Then again, I don’t run ActiveX code, and I never open .doc files sent
by anyone I don’t know really well.

I also don’t open HTML e-mails, click attachments, or visit
sites to which strangers direct me. I consider these reasonable security
practices, and I hope many others follow the same guidelines, which should
greatly reduce the impact of these threats.

All in all, I suspect that these threats—although correctly
rated as critical because they permit remote code execution—will have a very
limited impact.

Also watch for …

  • Remember
    Sasser and all the excitement over catching the perp? Well, I believe I
    was one of the people who pointed out that German laws on
    this sort of thing     were so lenient as to be meaningless. A German
    judge recently handed down the punishment to Sven Jaschan,
    the confessed author of the Sasser worm    , for causing a likely million
    dollars worth of damage.
    His punishment? A 21-month suspended sentence and 30 hours of community
    service. But the good news is that Microsoft’s Anti-Virus Reward Program
    will pay out $250,000 to the two people who helped catch him. I applaud Redmond
    for the powerful message it’s sending to hackers: Do something bad, and
    you better not brag about it!
  • Authorities recently arrested a
    Florida man and charged
    him with unauthorized network use     for using a homeowner’s unsecured
    wireless network to connect his laptop to the Web while sitting in his car.
    This is apparently the first arrest for unauthorized Wi-Fi access.
    But if zero security features are present on a wireless network, how do you
    know the person would object to sharing his or her bandwidth? The charges don’t
    include hacking, data theft, or causing any damage—just using unsecured
    bandwidth. And how is that different from sitting outside one of the many
    businesses that run open wireless networks?
  • If
    you use PDF files, don’t think that you can just black out information you
    want to keep private. For example, check out this PDF copy
    of an indictment for computer hacking against U.S. government sites
    (if no one has altered it yet). In the version still online as of this
    article’s publication (July 18, 2005), the authors had blacked out the
    site locations, indicating that someone apparently thought it was
    sensitive information. However, a simple block copy from the PDF document
    to a text or word-processor application removes the ethereal magic marker
    and displays the addresses.
  • If you
    wondered why the Microsoft AntiSpyware utility doesn’t report a lot of
    software you probably don’t want on your machine, it might have something
    to do with the company’s mergers and acquisitions activity, at least
    according to a recent report about why the utility no
    longer considers Claria adware as spyware    . It’s definitely a timely
    change, considering recent reports that Microsoft may be contemplating
    a purchase     of Claria.
  • And
    finally, beware: According to a News.com
    report    , exploit code for vulnerabilities in Firefox versions
    prior to 1.0.2 is in circulation.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.