Microsoft Publishes Four Critical Updates
Patch Tuesday comes with the publication of six new security bulletins that collectively address vulnerabilities in Windows, IE, Outlook Express, Office and Visio.
As expected, Microsoft Corp. today published six new security bulletins that collectively address vulnerabilities in its Windows, Internet Explorer, Outlook Express, Office and Visio products.
Four of the bulletins are of critical severity, Microsoft said. They include:
- a Cumulative Security Update for Outlook Express and Microsoft Mail, which patches a total of four vulnerabilities
All four critical security updates fix flaws that could lead to Remote Code Execution exploits, Microsoft said.
In order to exploit the Schannel vulnerability, an attacker would have to first construct a malicious SSL/TLS Web page and then lure users into visiting it, either via a Web browser or an application (such as an HTML rendering email client) that supports SSL/TLS. In most cases, Microsoft claims, the vulnerability would cause the Web browser or application to exit. A user would then have to reboot her system to access any legitimate Web sites or resources that depend on SSL or TLS. Under certain conditions, however, an attacker could exploit the Schannel vulnerability to execute arbitrary code on a compromised system.
The new IE rollup patches a total of six vulnerabilities, all but one of which are associated with a potential remote code execution risk.
It replaces an IE security roll-up that Microsoft released last month.
The vulnerabilities are:
- a COM Object Instantiation Memory Corruption flaw
The latter is the only flaw which isn't associated with a remote code execution risk. All six flaws can be exploited in the usual way: i.e., an attacker constructs a malicious Web page and then entices (e.g., via a hyperlink embedded in an e-mail) a user into viewing the page.
None of these vulnerabilities had previously been disclosed, Microsoft confirmed, and no known exploit or proof-of-concept code exists.
The Outlook Express/Microsoft Mail update patches two privately-reported and two-publicly disclosed flaws -- at least one of which (a Microsoft Mail vulnerability) could allow remote code execution in Windows Vista. The three other vulnerabilities pose a potential information disclosure risk, according to Microsoft.
An attacker can exploit all four flaws by constructing a malicious Web page and enticing (e.g., via a hyperlink embedded in an email) a user into viewing the page. The information disclosure vulnerabilities cannot be directly exploited in Outlook Express. Elsewhere, Microsoft indicated, the risk of information disclosure corresponds to a user's account status or access privileges: i.e., a user who has fewer rights could be less impacted than another user who has administrative privileges.
The security bulletin associated with the Outlook Express/Microsoft Mail vulnerabilities had not been published as of press time. As a result, detailed vulnerability and exploit information wasn't available.
Ditto for the Win32 API vulnerability, which -- like its Patch Tuesday kith -- could allow remote code execution (along with elevation of privileges) if the affected component is used locally by a malicious application. As a result, Microsoft warns, any software that uses the vulnerable Win32 API component is susceptible to attack. Examples include IE, which invokes the vulnerable Win32 API function when it parses certain Web pages.
Once again, the security bulletin associated with the Win32 API vulnerability had not been published as of press time. As a result, detailed vulnerability and exploit information wasn't available.
Elsewhere, Microsoft warned of several vulnerabilities in Microsoft Visio 2002 (SP2) and Microsoft Visio 2003 (SP2) that also affect Microsoft Office 2003. The 2007 Office System is not affected by these vulnerabilities, Microsoft said.
The first of these flaws -- a Version Number Memory Corruption vulnerability -- poses a remote code execution risk. It stems from a flaw in the way Visio handles version numbers in its native (.VSD, VSS, or .VST) file formats. The upshot, Microsoft acknowledged, is that Visio doesn't correctly validate the version number field when it processes the contents of a file. As a result, an attacker could construct a malicious .VSD, .VSS., or .VST document and embed it in an email, host it on a Web site, or disseminate it by other means (e.g., instant messaging, FTP, etc.).
The second flaw -- a Visio Document Packaging vulnerability -- also carries a remote code execution risk. It stems from a flaw in the way Visio handles the parsing of packed objects stored in its native .VSD, .VSS, or .VST formats. Once again, an attacker could exploit the vulnerability by constructing malicious .VSD, .VSS., or .VST documents and embedding them as e-mail attachments, hosting them on Web sites, or by disseminating them by other means (e.g., instant messaging, FTP and so on).
An attacker who successfully exploits this vulnerability could take complete control of a compromised system, Microsoft acknowledged. Neither of these vulnerabilities had previously been disclosed, Microsoft confirmed, nor does any known exploit or proof-of-concept code exist.
The final flaw -- a potential Information Disclosure vulnerability in Windows Vista -- has a moderate severity rating. The vulnerability stems from an improper default configuration of Vista's Access Control Lists. Under certain, undisclosed conditions, an attacker or non-privileged user could access Vista's local user information data store and potentially even harvest administrative passwords stored in the registry and local file system. Microsoft's update applies the correct ACL restrictions to Vista's user information stores.
This vulnerability had not previously been disclosed, Microsoft confirmed, nor do any known exploit or proof-of-concept code samples exist.
Microsoft also published seven non-security, high-priority updates, which are available via Microsoft Update and Windows Server Update Services. In addition, the software giant has prepped another version of its Windows Malicious Software Removal Tool.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.