Huge Patch Day, Small Bombshell

By Larry Seltzer  |  Posted 2006-06-14 Print this article Print

Opinion: More and more, security software already in use can act as an interim workaround for vulnerabilities.

Someone at Microsoft must have wanted to clean house so they could go on vacation when school let out. The June Patch Tuesday contains a large list of vulnerabilities that seem, at least at first glance, to be severe and scary. And yet this will probably become like most of the other patch days, even for those with many "critical" vulnerabilities. Responsible individuals and organizations that apply the updates or at least the workarounds and have other reasonable security precautions in place will be perfectly safe.
For many of the vulnerabilities patched June 13 the mitigating factors are significant enough that theyre not all that big a worry.
For instance, at first I was scared of MS06-032, "Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)," because it smelled of a network worm, but in fact its probably not going to amount to much. It relies on a feature (IP source routing) that is not enabled by default on any version of Windows. Furthermore, any firewall would probably block the IP features through which the attacks are performed. And some of the bugs, like the SMB problem, require local access to exploit—yawn! For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. Speaking of security software, it seems to me that any up-to-date anti-virus product on the desktop or any network IPS (intrusion prevention system) would be able to block many of these attacks, and most of them probably already are blocking them. Consider the vulnerabilities in PowerPoint and Word, both of which require the victim to open a file that exploits the vulnerability. All anti-virus software opens and scans these files already as they come in through e-mail or hit the file system. I bet most of these programs already detect these attacks. I know Ive seen anti-virus programs detect vulnerability-based attacks before, not just plain macro malware. MS06-024, "Vulnerability in Windows Media Player Could Allow Remote Code Execution," is another candidate for such protection since it requires that the user open a malicious file. Exploits are appearing for the new crop of vulnerabilities. Click here to read more. Anti-virus programs could also protect against the new vulnerabilities in ART and PNG files, although I wouldnt assume that anti-virus software would check all file types, including these. Ill have to check on this with vendors. And most modern desktop anti-virus programs incorporate what is effectively an IPS looking for, among many other things, attacks on known vulnerabilities. Such software is in a position to stop MS06-023, "Vulnerability in Microsoft JScript Could Allow Remote Code Execution," and likely will. Network IPS can also block such attacks, and more quickly than you could responsibly deploy patches to a large number of systems. I quickly got a notice from Third Brigade that its IPS appliances blocked the attacks described by Microsoft. There are other protections in Windows and other software that could impede exploitation of these vulnerabilities. Some of them perform stack-based overflows, and therefore stand a chance of being blocked in Windows XP Service Pack 2 and 2003 SP1 (on hardware that supports the NX bit). And IPS software can often block overflows generically, especially in programs like Internet Explorer that its monitoring carefully. As frustrating as these patch days can be, theres reason to feel optimistic about security. If you take the money and time to protect your systems, and especially if you are able to determine which vulnerabilities require your immediate attention, you can protect your systems very effectively. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel