Microsoft’s release today of seven much-anticipated patches highlights the continued trend of client-side vulnerabilities – but the most important fix of all corrects a high-risk flaw that malicious users can take advantage of with no user interaction.
Today's Patch Tuesday security bulletin corrects several critical vulnerabilities, including two flaws in Windows server – which facilitates file and print sharing – that allow remote code execution.
What makes this bug particularly alarming to security experts is that its "wormable" payload can transfer from computer to computer without individuals clicking on bogus attachments or opening untrusted websites.
Mike Murray, director of vulnerability research at flaw management vendor nCircle, said "it's really one of the first significant unauthenticated vulnerabilities of 2006" because it does not require usernames or passwords, thereby bucking the trend of many of today's bugs.
Many hackers have given up on targeting remote services, now more secure, instead choosing to focus on holes in client-side applications. Yet this bug conjures up images of past flaws that led to the notorious Blaster, Slammer and Zotob worms.
"It's more dangerous because it can be exploited automatically," said Jonathan Bitle, Qualys product manager. "If a machine is available and unresponsive, it will respond to this malware packet because it is listening for this content."
Today's advisory also patched a critical vulnerability in the DHCP client service, which is used to obtain IP addresses so machines can communicate with each other, Bitle said. That flaw also does not require user interaction and could have led to worms being launched onto a PC.
"Remotely exploitable vulnerabilities can pose a serious threat to organizations because they do not require user interaction and can be attacked from across the internet," said Dave Cole, director of Symantec Security Response. "With the likelihood of multiple Windows servers sitting on the same network, (we recommend) that organizations review their firewall policies and properly patch their systems…"
Three other patches were released to correct critical flaws in Microsoft Office, exemplifying the increasing trend in client-side vulnerabilities.
"These are the low-hanging fruit and rely on the users not being educated enough to not open certain files or not go on certain websites," said Amol Sarwate, manager of Vulnerability Research Labs at Qualys.
Two other patches, deemed "important" by Microsoft, correct a flaw in ASP.NET that could have allowed for information disclosure and a flaw in Microsoft Internet Information Services using Active Server pages that could have permitted remote code execution.
One month after the Redmond, Wash. software giant released a dozen patches, its largest security update since February 2005, Microsoft issued another seven this month. And there may be no rest for weary network administrators.
Experts said Patch Tuesdays may continue to be busy, especially considering Metasploit creator H.D. Moore has pledged to publish information on one browser bug for each day in July – many of which will be related to Internet Explorer.
But Murray said there is no reason to read into the recent spike in patches. He instead chose to praise Microsoft for being more accountable and transparent in its fixes than it was a few years ago.
"We're being fooled by the randomness," he said. "You eventually had to have a month when Microsoft had to release a bunch of patches."