Microsoft to Patch Critical .Net Flaw

By Lisa Vaas  |  Posted 07-09-2007
Microsoft is issuing six patches on Patch Tuesday on June 10, one of which addresses a critical .Net Framework vulnerability that has the potential to affect a wide array of applications on all of Microsoft's actively supported platforms.

Microsoft's .Net Framework, a component that's included with the company's operating systems or which can be added to them, contains chunks of code for common program requirements. It's a core piece of Microsoft's product offerings, particularly since it's intended to be used by new applications created for Windows. As such, its code library covers many important moving parts in applications, including user interface, data access, database connectivity, cryptography, Web application development, algorithms and network communications—all of which are crucial security points.

The .Net Framework actually has its own security mechanism that covers CAS (Code Access Security)—a check of permissions granted to code—as well as validation and verification requirements.

Users won't know until the morning of June 10 when Microsoft delivers its July set of patches exactly what particular chunk or chunks of code the .Net patch covers, but Microsoft has said that the vulnerability could lead to remote code execution, which is considered to be the worst vulnerability, given that it leaves systems vulnerable to hijacking.

"If you … analyze [the details Microsoft has given in its Security Bulletin Advance Notification, the software affected runs] across all platforms that .Net can be installed in," said Don Leatham, director of solutions and strategy for PatchLink. "[The affected versions include] the latest .Net technology. That's why we feel the effects are going to be widespread. On our side, we're prepping customers to make sure they get this out as quickly as possible."

Click here to read more about Microsoft touting Vista's security.

Because .Net is so widespread and many programs and internal development efforts are built on the framework, the potential for the patch to break something is substantial. PatchLink is recommending that customers take a phased approach to deploying the patch, by first deploying to a test network upon which organizations should test critical applications and then moving deployment up to increasingly critical business groups or phases.

Seven .Net versions are affected by the critical vulnerability, which, Microsoft says, can lead to remote code execution. Because of the widespread importance of .Net and the applications that are built using its code components, analysts are advising that organizations update ASAP to patch this vulnerability.

For details on the affected versions, check Microsoft's Security Bulletin Advance Notification page.

Microsoft is patching two other critical vulnerabilities, both of which can lead to system hijacking, the same as with the .Net vulnerability. One of the patches will address a vulnerability that affects Office and Excel, while the other affects Windows.

The Excel vulnerability is one to watch out for, given that the application is implicitly trusted by Internet Explorer. Users who visit maliciously crafted sites can click on links that bring up infected .xls files. Because such an embedded Excel file is within an IE Windows frame, brought down through the browser and then through HTTP protocols, IE allows users to navigate through and manipulate such files. This presents a thornier scenario than in the past, when infected files have been sent through e-mail, given that e-mail filters generally can catch and quarantine infected files.

"If there's something that can be exploited as an embedded document within IE, you can't always catch that," Leatham said.

One way to protect against infection via infected embedded Excel files is through IE security settings, enforced through group policy object, that warn against opening embedded files.

As for what Microsoft's leaving unpatched, eEye's Zero-Day Tracker site lists a PowerPoint vulnerability of medium severity that's been out there for 270 days and counting.

Two other patches, deemed important, are for vulnerabilities that could also lead to remote code execution. One is for Office Publisher, and the other is for Windows XP Professional.

Vista will be up for patching as well. Leatham noted that the latest operating system could be affected by the critical .Net vulnerability, on top of a moderately important patch—for a vulnerability that could lead to information disclosure—that Microsoft is putting out for Vista.

Microsoft is also updating its Malicious Software Removal Tool—an update that won't be distributed by SUS (Software Update Services). SUS is, in fact, up for a high-priority, non-security-related upgrade itself. The update for the Microsoft Windows Malicious Software Removal Tool will come out on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Microsoft is also planning to release four non-security, high-priority updates on MU (Microsoft Update) and WSUS (Windows Server Update Services).

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.