News

No Surprises in Last Patch Tuesday for 2007

As expected, the last Patch Tuesday offers fixes for seven vulnerabilities -- three of them critical -- and sets the tone for 2008 as the "year of the Vista Patch."

• By Jabulani Leffall
• 12/11/2007

Security experts say that the latest release -- which deals with potential remote code execution and elevation of user privilege holes -- cements 2007 as the year of the "client-side" vunerabilities and could make 2008 the year of the "Vista patch."

"What Microsoft did right this year was getting their patches out in a timely manner for client-side vulnerabilities," said Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "What they did wrong was to laud Vista as the security cure-all, a big mistake considering what we're seeing now."

Indeed, security experts identified eight distinct vulnerabilities this month that all affect Vista; five of the seven patches in the bulletin deal with potential vulnerabilities in the new OS.

Critical Fixes
The three critical bulletins all relate to remote code execution, a recurring theme throughout this year with each patch release.

The first critical issue is said to close the book on two privately reported vulnerabilities in Microsoft DirectX, a cluster of streaming media application programming interfaces in all versions of Windows. Microsoft said vulnerabilities could allow code execution if a user opened a specially crafted streaming media file in DirectX.

For instance, an attacker exploiting this vulnerability could commandeer the system from a user who is logged on with administrative rights. The attacker could subsequently have carte blanche in installing programs viewing, updating, altering or deleting data -- even creating new user accounts with "superuser" profiles.

The second item in the critical area is akin to the first patch in that it deals with Windows Media Runtime components. This update, like the first one, also resolves a privately reported vulnerability in Windows Media Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Redmond said users with fewer rights will likely be less-impacted than those with administrative access rights.

The first two patches are timely -- exploit code had been released last Saturday that seizes upon a hole in a flawed MP4 codec used on both Windows Media Player and Windows Media Player Classic.

The last critical patch should raise the most eyebrows among security administrators, as it constitutes a cumulative update of Internet Explorer.

Redmond said the patch covers at least four privately reported holes in the application and that the most serious security impact could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.

What's missing from this cumulative patch is a specific fix for Web Proxy Automatic Discovery program vulnerabilities as described in the software giant's security advisory released last week. Observers say Microsoft probably couldn't resolve that issue in time for the December patch release.

Furthermore, some security experts are concerned about the ongoing client-side vulnerabilities in Windows applications. With the growth of Internet file sharing, said Ben Greenbaum, senior research manager at Symantec Security Response, hackers can share exploit code with the world under the guise of a video file of the latest YouTube craze.

"The sheer number of vulnerabilities this month that affect Windows Vista is a concern," Greenbaum said. "The more alarming vulnerabilities are those in Windows Media Format Runtime and Internet Explorer, since a successful exploit could occur when a user visits a malicious Web page or when viewing a malicious e-mail. Neither issue requires any further interaction by the victim to exploit, compounding the problem."

Important Fixes
Meanwhile, all of the four important fixes, split between RCE exploits and elevation of rights attacks, pertain to Windows OSes -- either XP and/or Vista. With elevation of privilege at the OS level, a hacker can get around access controls by increasing entry and command parameters on the system, thus changing the rights profile and becoming a "superuser."

The first important patch affects Vista and Vista x64 versions and is actually the result of new code written to target those specific versions. The patch covers Server Message Block Version 2 (SMBv2) which, in most cases, operates as an application-based network protocol, with utility in areas of shared access such as printer settings, serial ports and community hard drives.

Redmond said vulnerabilities in SMBv2 can allow an attacker to tamper with data transferred via the SMB protocol, which would foster remote code execution in domain configurations that communicate via the protocol itself.

The second important patch affects Windows Server 2000 Service Pack 4 and XP SP3 and remedies a privately reported vulnerability in the Message Queuing Service (MSMQ) that could allow remote code execution in OS or application implementations on Windows 2000 Server. Also, it could allow for elevation of privilege in the same such implementations on Windows 2000 Professional and Windows XP. However, Redmond said that attackers would have to have "valid log-on credentials to exploit this vulnerability."

The third important stopgap in the form of a patch prevents elevation of privilege execution in all versions of Vista. Exploiting a vulnerability in the Windows Vista kernel, an attacker could take complete control of an affected system.

The last of the important fixes patches up holes that could allow for local or client-side elevation of privilege on all versions of XP and every version of Windows Server 2003 except Itanium-based systems. This update takes care of a publicly disclosed vulnerability, where the Macrovision driver incorrectly handles configuration parameters and could be used by a hacker to take over the whole system.

As usual, Microsoft Baseline Security Analyzer can be put in play by IT pros to sweep the system and determine if an individual update is needed. Five of the seven patches will require a restart, with the caveat from Redmond that the remaining two may require restarts in "certain situations."

Microsoft also plans to release six non-security, high-priority updates on Microsoft Update and one non-security, high-priority update for Windows on Windows Update.

Lastly, what would Patch Tuesday be without a new version of the Microsoft Windows Malicious Software Removal Tool, which Redmond releases every month?

"What this last release of the year proves is that security is not a one-off thing that you can brand in the way you would laud other features," said Symantec's Greenbaum. "Security is an ongoing process, with different goals at different times, and is constantly changing."

In the wake of the release, IT pros in the Windows enterprise space will have a veritable stocking stuffer of issues to consider in what may be a hectic lead time ahead of the holiday break.

Schultze of Shavlik Technologies predicts that 2008 might be the "year of the Vista patches" and says technologists and computer enthusiasts can expect more client-side vulnerabilities in Windows products and services, particularly as they relate to shared Web files.

"From what we've seen in the last sixth months, I'd expect one of two large server side issues too," he said. "They'll be similar to a slammer or a worm and may come about by June. [We] haven't had those in a while and we're probably due for it."