Microsoft goes back to business as usual with the release of
10 security bulletins for June, three of which patch critical flaws.

Details

After some relatively slow
months, Microsoft’s dreaded monthly patch day has re-emerged as an
important source of security information. The software giant released 10 security bulletins
for June last week.

Due to the numerous threats, I’ll concentrate on the three
critical bulletins this week. Next week, I’ll focus on the remaining seven
bulletins. As bad as the three critical threats are, keep in mind that this
month’s release is about on a par with April’s release of
five critical vulnerability patches and February’s release
of seven critical bulletins.

MS05-025

Microsoft
Security Bulletin MS05-025,”Cumulative Security Update for Internet
Explorer,” covers two new, but not publicly disclosed, vulnerabilities. The
most important vulnerability patched by this bulletin can result in remote code
execution.

  • CAN-2005-1211:
    Portable Network Graphics (PNG) image rendering memory corruption vulnerability
    (critical threat)
  • CAN-2002-0648:
    XML redirect information disclosure vulnerability (low to moderate threat)

The updates in this patch also include an improvement to the
pop-up ad blocker for Windows XP Service Pack 2 and Windows Server 2003 Service
Pack 1. In addition, this bulletin includes updates for Windows 98, Windows SE,
and Windows ME. While regular support for these older versions has ended, Microsoft
continues to support these editions when it comes to critical security
vulnerabilities.

Applicability

  • Windows
    2000 SP 3
  • Windows
    2000 SP 4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

Mitigating factors
You must open an e-mail attachment to be vulnerable to this threat. Opening
e-mails in plain text blocks the critical threat that comes from a PNG image
rendering flaw. Sticking to plain text e-mail also blocks e-mail XML redirect
attacks.

Potential attackers can use malicious code on a Web site to
exploit the XML redirect vulnerability. However, by default, Outlook Express 6,
Outlook 2002, and Outlook 2003 open HTML e-mails in the Restricted zone if you’ve
applied all earlier security updates. Internet Explorer running on Windows
Server 2003 runs in the Enhanced
Security Configuration, which also blocks this attack.

Fix
Install the updates. The Microsoft Baseline Security Analyzer (MBSA) and the Systems
Management Server (SMS) will indicate if the patches are necessary.

According to Microsoft, you can block PNG image rendering in
Internet Explorer by unregistering Pngfilt.dll. (Go to Start | Run, enter regsvr32 /u pngfilt.dll, and click OK.)
To disable PNG image rendering via the registry, see the original Security
Bulletin.

Microsoft recommends this workaround for the XML redirect threat:
Configure IE to run in the High security mode for both the Internet and Local Intranet
zones. You can also use the Custom Level security option to require that IE
prompts the user before running Active Scripting.

MS05-026

Microsoft
Security Bulletin MS05-026, “Vulnerability in HTML Help Could Allow
Remote Code Execution,” is yet another patch for the HTML Help feature
that can allow remote code execution. However, this threat is unrelated to the HTML Help
vulnerability patched in MS05-001.

This bulletin addresses one new and not publicly disclosed
threat related to the InfoTech protocol (CAN-2005-1208).
In addition, this bulletin includes updates for Windows 98, Windows SE, and
Windows ME. While regular support for these older versions has ended, Microsoft
continues to support these editions when it comes to critical security
vulnerabilities.

Applicability

  • Windows
    2000 SP3
  • Windows
    2000 SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

Mitigating factors
Windows Server 2003 SP1 places restrictions on the InfoTech protocol to help
prevent remote attacks. By default, Outlook Express 6, Outlook 2002, and
Outlook 2003 open HTML e-mails in the Restricted zone if you’ve applied all
earlier security updates.

Fix
Install the updates. MBSA and SMS will indicate if the patches are necessary.

Microsoft suggests the following workaround: Unregister the HTML
Help InfoTech protocol by going to Start | Run, entering regsvr32 /u %windir%\system32\itss.dll, and clicking OK. For systems
running Windows 98, Windows SE, and Windows ME, enter regsvr32 /u %windir%\system\itss.dll instead. This workaround disables
all HTML Help.

MS05-027

Microsoft
Security Bulletin MS05-027, “Vulnerability in Server Message Block
Could Allow Remote Code Execution,” addresses one new and not publicly
disclosed threat (CAN-2005-1206).
Without firewall protection or TCP/IP filtering, attackers can exploit this
vulnerability using an outside Internet-based attack or via a local network.

This vulnerability does not affect the related Common
Internet File System (CIFS) Internet Standard protocol. This threat is unrelated
to the SMB
vulnerability patched in MS05-011.

Applicability

  • Windows
    2000 SP3
  • Windows
    2000 SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)

This vulnerability does not
affect Windows 98, Windows SE, or Windows ME.

Mitigating factors
Although remote code execution is possible, in most instances, this attack
would result in a denial of service instead. Firewall best practices will
protect against this attack vector, and even the minimal ICF, as well as the
Windows Firewall provided with XP SP2 and the firewall supplied with Windows
Server 2003, will block unsolicited incoming traffic.

Fix
Install the updates. MBSA and SMS will indicate if the patches are necessary.

A simple workaround is to block TCP Ports 139 and 445 at the
firewall—both inbound and outbound. This prevents the affected protocol from
initiating a connection.

Risk level – Critical

All three bulletins include remote code execution
vulnerabilities and therefore are as serious as threats get. However, one
component of MS05-025 does not represent a critical threat.

Tune in next week to get the details on the lower level
vulnerabilities. But for those of you who feel confident in the process, you
can go to Microsoft
Windows Update for all patches.

Final word

Well, we seem to be on track for Microsoft threats so far
this year. However, I think it’s only fair to point out that all the critical
threats addressed by this month’s bulletins are for vulnerabilities not already
publicly known—and therefore no one’s trying to exploit them yet. In other
words, Microsoft provided patches before
anyone was even aware of these vulnerabilities, let alone became a victim of
them.

When is a critical vulnerability not a critical
vulnerability? That’s a trick question—it’s always
critical. But a vulnerability certainly isn’t much of a real-world problem if
no one knows it exists until after a fix is available.

Of course these threats are public now, so you do need to
patch them or apply workarounds until you see if the patches themselves cause
any problems.

Also watch for …

  • Those of
    you who have always disliked product activation features have a new reason
    to add to your objections: Adobe has announced that its License Management
    Service, a component used for product activation, contains a
    vulnerability that can let an attacker gain control of computers
    running Adobe Photoshop CS for Windows, Adobe Creative Suite 1.0, and
    Adobe Premiere Pro 1.5. A
    security patch is available from Adobe.
  • Those of
    you who complain so loudly about ActiveX should take note that Sun has
    just patched two highly
    critical vulnerabilities in Java    . Secunia’s high rating is because the
    vulnerabilities not only allow an attacker to run arbitrary code on
    vulnerable systems—but he or she can do so without any indication of the
    attack. This threat applies to older Java 2 Platform Standard Edition
    (J2SE) releases, versions prior to February’s J2SE 5.0 Update 2. Sun
    recommends upgrading Java Platform code to the latest version.
  • Warning:
    Anyone running Windows 2000 should take note of the fact that general
    support for the popular OS will end this month    .
  • Finally,
    since we look to the Feds to help protect us against Internet scams and
    other crimes, I feel I would be remiss if I didn’t point out a CNN
    report     that a 30-year FBI veteran will serve a year-long federal
    prison sentence for possession of child pornography. The long-time agent
    said he learned how to access child porn Web sites at a training session
    in 2000 or 2001.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.