Patch/Configuration Management, Vulnerability Management

A Patch Tuesday surprise from Microsoft – plus six other fixes

Microsoft released seven patches today for 11 vulnerabilities, including a surprise fix for two zero-day flaws in Windows Media Player.

The update also addresses a flawed WMI Object Broker ActiveX control in Visual Studio 2005, a widely used Microsoft development platform. The vulnerability emerged days before the November patch release and was not addressed in that fix.

But perhaps the biggest news out of today's release was what wasn't fixed. The Redmond, Wash. software giant did not push out patches for two critical Word vulnerabilities, one of which is being actively exploited in limited, targeted attacks.

"I would anticipate an out-of-band patch given the severity of these vulnerabilities and the tremendous use of Word in the business community," said Amol Sarwate, manger of the vulnerability labs at Qualys. "Understandably, Microsoft didn't have time to incorporate (these vulnerabilities) into their patch cycle. This highlights the trend of zero-day exploits where hackers are releasing exploits just before the Patch Tuesday cycle so Microsoft doesn't have enough time to address them."

So far this year, Microsoft has issued two out-of-cycle patches.

Today's surprise fix affects the ASX file format, processed by the Media Player. According to a Microsoft Security Response Center blog post Thursday, attackers could create malformed ASX files to cause a buffer overflow resulting in remote code execution.

Microsoft was not planning to fix the flaws but decided on a patch after receiving reports of publicly available proof-of-concept code.

Today's release also included six patches for previously unknown Windows flaws, including four critical bugs in Internet Explorer.

Meanwhile, Gunter Ollmann, X-Force director at IBM Internet Security Systems, said enterprises should pay particular attention to a fix for a simple network message protocol (SNMP) vulnerability labeled only as "important."

"Although SNMP is not a default service, it is the defacto standard for monitoring critical business assets," he said. "Because SNMP uses user datagram protocol (UDP), which doesn't require a handshake, internal attackers can spoof an identity and gain complete control of a network."

Michael Sutton, security evangelist at SPI Dynamics, told today that the bugs addressed in today's bulletin underscore hackers' continued focus on client-side vulnerabilities that can be easily discovered through means such as fuzzing. Fuzzing is a method traditionally used by software developers to find faults in applications.

"Overall this year, we've had a tremendous amount of Office vulnerabilities," Sutton said. "You take a known, good file, like a Microsoft Word file, and start mangling pieces of it. There's a real shift in focus from server-side to client-side (vulnerabilities). It's the client-side vulnerabilities that really lend themselves to phishing and identity theft."

Marc Maiffret, chief hacking officer at eEye Digital Security, told today that client-side attacks are particularly troublesome because "anti-virus software isn't going to protect you." Organizations must deploy some host-based security software that lends buffer overflow protection, he said.

"Is the perfect answer to block all the files?" Sutton said. "You can't. Imagine the internet with no sight or sound. It would be a pretty boring place. The only true workaround is not accepting things from untrusting sources. But obviously, that only goes so far."

Cick here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.