In one of its lighter Patch Tuesday cycles in recent months, Microsoft released four fixes, including a patch for a critical vulnerability in its Windows Agent animation services.
While one security researcher said this was just more of the “same old same old” from Microsoft, another told SCMagazineUS.com that the MSN Messenger/Windows Live Messenger instant messaging fix was a key update.
“This is a very light month — we’re not overly concerned by any of these. The reason we’re not as concerned: It’s just not extraordinary, or in any way different, than the issues we’ve seen on a monthly basis for a long time now,” Tom Cross, an exploit researcher at IBM Internet Security Systems, told SCMagazineUS.com. “It’s important that people patch for the [Windows Agents] vulnerability [MS07-051], and it’s not to be taken lightly.”
“But there’s no exploit in the wild now,” Cross said.
Cross called the Windows Agent remote code execution vulnerability “interesting.” Microsoft’s bulletin noted that a number of security research organizations were simultaneously credited with finding it — meaning, “a number of researchers converged on the same point,” Cross said.
“That’s interesting because it means someone else with less noble intentions could find the same thing and exploit it,” he said.
Symantec’s Security Response team rated the Microsoft Agent ActiveX flaw “critical” because of the wide use of ActiveX controls in multiple applications.
“Symantec has observed a significant increase in ActiveX vulnerabilities this year,” said Ben Greenbaum, senior research manager, Symantec Security Response.
Amol Sarwate, manager of the vulnerability research lab at Qualys, was more concerned about the IM issue than the Windows Agent vulnerability.
“The reason we think it’s most important is because of the components affected,” he told SCMagazineUS.com.
The vulnerability exists in the handling of webcam video streams in the IM software, he said. “An attacker can use social engineering techniques to fool victims into clicking on a link that takes them to a malicious website, where any code can be downloaded to the victim’s machine.”
ISS’s Cross had a different view of this flaw: “To be exploited, someone would have to click on a link in an IM to a malicious website, and when the browser loaded, the malicious page would install software on the computer.”
Andrew Storms, director of security operations for nCircle, said that the exploit is one of the latest in a rash of IM threats.
“This exploit was first announced several weeks ago and Microsoft moved very quickly to get this fix out,” he said. “I’m sure this is because of the recent flush of exploits that target IM clients. We have seen two bugs in Yahoo Messenger, one of which was almost identical to this MSN Messenger chat vulnerability.”
Storms added that on Monday a Skype worm started to take hold that could also be a significant threat.
The remaining patches are likely of little interest to mainstream Windows users. One impacts Windows Services for UNIX 3.0, an optional component used mostly by system administrators who enjoy working within a UNIX-like environment; the second affects Crystal Reports in Visual Studio, a software developer’s tool.
Microsoft’s security update bulletin for this round of patches can be found here.