News

May Security Patch Targets Windows, PowerPoint Flaws

• By Jabulani Leffall
• 05/10/2011

Microsoft's May patch arrived as expected, with just two security bulletins, one deemed "critical" and one considered "important."

Both items aim at thwarting remote code execution (RCE) attacks. One is designed as a general Windows fix, while the other addresses a PowerPoint flaw. The small patch size this month shouldn't discount its importance, according to Andrew Storms, director of security operations at nCircle.

"Don't let the small number of patches this month give you a false sense of security," Storms said. "IT teams should be just as diligent this month as they were for last month's gigantic patch."

Also, look out for fakes this month. Hackers have been circulating a scam e-mail claiming to have the details of a "critical security update" from Microsoft. The e-mail says Microsoft has issued a "high-priority" security fix for Windows that can be downloaded via a link in the fraudulent message, according to the Websense community blog. Of course Microsoft does have a Windows fix, but it's not that one.

Critical and Important Patches
The operating system-level fix, and the only critical item this month, addresses a flaw in the Windows Internet Name Service (WINS). Microsoft says that this RCE exploit could be triggered by a specially crafted WINS replication packet on an affected system running WINS.

Storms said that the WINS bulletin is the most important fix in this month's patch. He added that Microsoft is downplaying this flaw, but it potentially could be used in RCE attacks.

"WINS is a network-aware application that does not require authentication, and many enterprises require WINS on their networks," Storms said. "Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug."

The important item addresses a flaw in PowerPoint. This vulnerability could allow "remote code execution if a user opens a specially crafted PowerPoint file," according to Microsoft. The patch affects PowerPoint programs sitting on Office XP, Office 2003 and Office 2007, as well as Office 2004 and 2008 versions. Microsoft provided additional guidance on this patch, saying that installing and configuring Office File Validation can prevent the opening of suspicious files.

Both patches may require restarts.

Prioritizing Patches
As this patch rolls out, the software giant is also revamping its Exploitability Index. This change to the index, starting this month, will aid IT pros in deciding what's urgent and what can wait, according to Microsoft.

The new iteration of the index will come with two index ratings per vulnerability patched. With this approach, there will be one index rating for newer OSes and application versions, along with one index rating for earlier releases.

According to this post by Maarten Van Horenbeeck, Microsoft's senior security program manager, the security team has been "collecting ratings internally in this way for the last eight months." He says that of a total of 256 ratings, at least 97 issues were considered less serious, or not applicable, on the latest version of the product.

The overall goal is to make vulnerability assessments more clear and give insight into less common vulnerabilities, Van Horenbeeck explained. One such is denial-of-service (DOS) bugs for which there is now a DOS score in the index.

The light count in this month's update cycle perhaps affords IT pros more time to peruse this Knowledge Base article. The article provides guidance on nonsecurity updates coming through Microsoft's client update services and Windows Server Update Services.