News

'Patch Tuesday' Fixes Released

As expected, Microsoft's September "Patch Tuesday" update contains fewer security patches than in recent months -- four, to be exact.

• By Jabulani Leffall
• 09/11/2007

But while this month's release appears on its face to be thin and relatively uneventful, don't sell these fixes short, said Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies.

"This release is significant in the sense that three of the patches that are considered 'Important' bear as much weight as the one that was described as 'Critical," and that's something people should look at."

The one critical security issue addresses possible remote code execution (RCE) exploits that affect Windows 2000, while the three other "important" patches deal with Visual Studio, Windows Services for Unix, MSN Messenger and Windows Live Messenger, respectively.

Schultze says the latter three are "zero day" patches, with exploits publicly known, but no patches existing until this month.

The lone "Critical" patch is for "Clippy's Revenge."

"Clippy" is the famously annoying paperclip icon present in Microsoft Office. And now users have even more reason to hate "Clippy", as it's become an attack vector.

Hackers can piggyback on "Clippy" using specially-crafted URLs. The antidote is Microsoft's Baseline Security Analyzer (MBSA), which can sweep the system for bugs and determine whether the system requires an update. This will require a restart.

The first "important" issue pertains to RCE implications for Visual Studio via the use of Crystal Reports, a data aggregation tool designed to select specific rows and columns from a table of compatible data for running reports. The vulnerability could allow remote code execution if a user opens a specially crafted ".RPT" extension file, the kind of file utilized specifically in formulating data fields in Crystal Reports. The MBSA or Enterprise Update Scan Tool can also help determine whether systems need this patch. If they do, it will require a restart.

The second "Important" issue involves "elevation of privilege," or access control risks. Affected are Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and subsystems for UNIX-based applications, where running certain "setuid" (Unix-based access rights flags assigned to binary files) program files would allow an attacker to change his/access status to that of an system or domain administrator. This would give a user carte blanche with critical applications, programs, interfaces and data. This patch will require a restart as well.

For the last patch, Schultze emphasizes the need to abstain from downloading or launching non-work related files or applications. This security bulletin, which is said to "resolve a publicly disclosed vulnerability in MSN Messenger and Windows Live Messenger," addresses the possibility of RCE infiltration when a user accepts a video chat invitation from an attacker. The current version, Windows Live Messenger 8.1, is not affected by this patch and the fix won't require a restart.

The best practice in this case, Schultze said, is to not accept the invitation.

Microsoft is also releasing an update to its Malicious Software Removal Tool, as it does every month.

Another note: administrators should be mindful of the fact that this year's "fall back" time change is happening in early November, and not October.

"If you're an administrator who didn't patch your system, the time change might register on your systems a week early," Schultze cautioned. "This is not so much a problem for individual workstations, but certainly for servers and other system software and enterprise-wide hardware, particularly in the case of newer machines that haven't been integrated into the system yet."