Microsoft Patches 4 Critical FlawsBy Brian Prince | Posted 04-10-2007
Patch Tuesday has arrived, and brought with it patches for a number of security vulnerabilities rated "critical" by Microsoft.
The four updates considered critical deal with remote code execution vulnerabilities in Microsoft Agent, the Universal Plug and Play service, Content Management Server and the Windows Client/Server Run-time Subsystem (CSRSS). A fifth update is rated "important" and addresses a privilege elevation vulnerability that exists in Windows Kernel due to incorrect permissions on a mapped memory segment.
This flaw cannot be exploited remotely.
The five bulletins released today contain fixes for a total of eight vulnerabilities, and come on the heels of last week's out-of-band update. To Don Leatham of the Scottsdale, AZ-based security vendor PatchLink, the fact some of the vulnerabilities affect Vista is proof that while the new OS features security enhancements, users should not get cocky.
"Jumping immediately to Vista increases your security but it does not make you invulnerable," said Leatham, PatchLink's director of security solutions, in an interview with eWEEK.
The Symantec Security Response rated the Microsoft Agent vulnerability to be the most critical of the security bulletins because a successful exploit could allow an attacker to install malicious code and potentially gain complete control of the affected system.
The vulnerability affects the Microsoft Agent ActiveX component of Microsoft Windows 2000, Windows XP and Windows Server 2003, but does not affect Vista.
To exploit this vulnerability, an attacker would have to convince users to visit the Web site.
"Symantec views these patches as critical because there is an increased potential for exploitation since these vulnerabilities affect multiple versions of Microsoft Windows, including Windows Vista," said Vince Hwang, group product manager, Symantec Security Response.
"Symantec always recommends that users download the available Microsoft patches to mitigate the security risks and to optimize and protect their systems from attacks."
Other security specialists deemed the patch for the CSRSS vulnerabilities as equally or more important, noting all three CSRSS flaws affect Windows Vista and prior versions of Windows. A remote code execution vulnerability exists in the CSRSS process because of the way that it handles error messages.
Two other flaws involving CSRSSone dealing with how it handles its connections during the start and stopping of processes and the other how it handles error messageswere also patched. Neither of those two flaws, however, can be exploited remotely, according to Microsoft.
"The most interesting thing about this vulnerability [MS-07021] is that we have a CVE on Dec. 21, 2006 and a Microsoft Security Response Center blog posting on Dec. 22, 2006 on this same vulnerability well in advance of Vista's release in January 2007," said Andrew Storms, Director of Security Operations at nCircle in San Francisco.
Microsoft has also fixed two flaws in Microsoft's Content Management Server, a product that allows customers to build, deploy and maintain Web sites. One is a problem in how HTTP requests are handled, while the second is a spoofing or cross-site scripting vulnerability caused by the Microsoft Content Management Server not completely validating input provided in an HTML redirection query before it sends this input to the browser.
Another remote code execution vulnerability exists in the UPnP service involving the way it handles specially crafted HTTP requests. An attacker who has successfully exploited this vulnerability could run arbitrary code in the context of local service, according to Microsoft.
Michael Sutton, Security Evangelist for Atlanta-based SPI Dynamics, urged businesses to move decisively but cautiously when rolling out updates.
"Internal testing is required to first ensure that the update does not conflict with any third party or custom built applications," he said. The days following a patch release present significant risk for corporations. Once details of the vulnerability are available, the clock starts ticking between attackers attempting to develop exploit code and corporations trying to successfully deploy patches. It's a winner take all race to the finish."