Microsoft Issues Three Critical Patches
Microsoft on Tuesday issued a patch for an earlier discovered flaw in Visual Studio 2005, while yet another cumulative patch for Internet Explorer was released, as well as one for a vulnerability within the Windows Media Format.
The Visual Studio flaw covers an issue that was first disclosed by researchers in early November. A remote code execution issue exists within a feature called the WMI Object Broker that is used by the WMI Wizard within Visual Studio.
The vulnerability is exploited by viewing a specially crafted webpage, and could result in complete system takeover, Microsoft says.
The Redmond companuy has also offered up a cumulative patch for Internet Explorer, which handles four separate flaws within the browser. According to the advisory, only Internet Explorer versions 5.01 and 6 are affected.
Two involve memory corruption flaws, one in the script error handling feature of the browser, and the other having to do with issues in how the browser handles DHTML. Specially crafted Web pages could be designed to take advantage of the issue, it warned.
Symantec says the script error vulnerability poses the most risk of any of the patched flaws. "This client-side code execution vulnerability is caused by a memory corruption condition when handling script errors in certain circumstances and may result in a complete system compromise," researchers said.
The other flaws involve two separate issues dealing with the temporary internet folder. While both would allow for the attacker to retrieve files from the compromised system, only one would be able to be initiated without user interaction.
The final critical vulnerability deals with problems in the way Windows Media Player parses both ASF and ASX files. Specially crafted files could allow the attacker to take control of a vulnerable system. The issue affects various versions of the software from 6.4 through 9.5, Microsoft said.
Symantec provided more details on the issue: "This client-side code execution vulnerability is caused by an unchecked buffer in Windows Media Player code that handles Advanced Streaming Format (ASF) files," it said.
According to eEye Digital Security, the ASX vulnerability was added late in the cycle to address zero-day vulnerabilities that were already being actively used.
"eEye Digital Security's research team investigated publicly disclosed information about the exploit and found it to actually be remotely exploitable, a much higher concern than just a DoS attack," a spokesperson said.
Of the rest of the vulnerabilities, all were rated "important" by Microsoft. Three deal with remote code execution issues: one in the Simple Network Management Protocol (SNMP), another in a cumulative patch for Outlook Express, and a flaw within the Remote Installation Service.
Microsoft noted that neither the SNMP nor RIS is installed by default on any version of the operating system.
Finally, a patch has been issued to deal with an elevation of privilege risk within Windows. In order to exploit it, however, valid logon credentials and the ability to log on locally is required.
Security firms are applauding Microsoft's aggressiveness, but note that the increasing number of patches are intimidating users. "Microsoft's significant efforts have definitely made the Windows platform a more secure platform," said Don Leatham, director of solutions and strategy at PatchLink.
"However, the increasing volume of bulletins and the associated patches pose a challenge for customers," he said, pointing to a company survey that said that IE is its customers' biggest concern, and general expectations for an increase in the number of patches during 2007.