Microsoft fixed bugs in the WINS name server resolution protocol and a file format vulnerability in PowerPoint for its May Patch Tuesday.
Microsoft addressed two
security bulletins in May's Patch Tuesday release. Security experts said administrators should apply the fixes immediately-because, despite their small size, they
address significant threats.
Microsoft fixed a critical
vulnerability affecting Windows Server and an important bug in Microsoft Office
PowerPoint, according to the Patch
Tuesday advisory released May 10. Microsoft also assigned separate
"exploitability" scores for newer versions of the software under the "improved"
exploitability index ratings.
The team fixed a critical
vulnerability (MS11-035) in the WINS component in Windows Server 2003 and 2008.
WINS is a name-resolution service that resolves names in the NetBIOS namespace
and does not require authentication to use. While usually not available by
default in Windows Server, it is commonly used in the enterprise for internal
network servers. Administrators who have enabled WINS in Windows Server should
apply the patch immediately as attackers could remotely cause a denial of
service, according to Wolfgang Kandek, the CTO of Qualys.
"What might make the WINS
vulnerability appealing to attackers is that it is a server-side issue," Joshua
Talbot, security intelligence manager, Symantec Security Response, told eWEEK.
Unlike other threats,
attackers don't have to trick a user into doing anything since it's just a
matter of finding a vulnerable server and feeding the machine "a malicious
string of data," according to Talbot. It is also a more serious issue on Windows
Server 2003 than on 2008 because Windows Server 2008 has built-in protections
such as DEP (Data Execution Prevention) and ASLR (Address Space Layout
Randomization). However, attackers can still create exploit code to get past
those security features, Talbot said.
The other "important"
bulletin (MS11-036) addressed a security flaw in all versions of Microsoft
Office Power Point except Office 2010. The bug would allow attackers to take
full control of the target machine as soon as the user opens a malicious PPT
Both WINS and PowerPoint
vulnerabilities are fairly significant, according to Tyler Reguly, technical
manager of security research and development at nCircle. File-format
vulnerabilities are "popular exploits" but WINS is remote code execution, so it
was "difficult" to decide which was the "biggest risk today."
Microsoft listed both
vulnerabilities using the new exploitability ratings. The PowerPoint bulletin was
rated a "1" for a consistent exploit code likely for older software releases,
but 0 for latest software because Office 2010 is not affected. The WINS patch
was rated a "2" on both the latest and older versions because it affected all
The updated rating system is
intended to make it easier for IT administrators to determine their risk level,
according to Microsoft.
"With massive updates such
as we had in April, it's easy to get overwhelmed. Microsoft's new index
simplifies the process, which will help IT administrators to prioritize which
patches they tackle first," said Dave Marcus, director of security research and
communications at McAfee Labs.
The small release means
administrators should "brace themselves for a larger update" in June, according
To complicate things for IT
administrators, a fake Patch Tuesday update is making the rounds, according to
security researchers at Websense Security
Labs ThreatSeeker network. The malware is spread via a link inside an email
message supposedly from "Microsoft Canada Co." which informs users that
Microsoft has issued a "Security Update for Microsoft Windows OS," wrote Amon
Sanniez, associate security researcher at Websense. Clicking on the link
downloads the fake patch to the computer and infects the system with a Zeus
Trojan variant, according to Sanniez.
It "ties in almost
perfectly" with the real Patch Tuesday updates from Microsoft, Sanniez said.
The email looks quite
legitimate and shows "some effort" went into the creation, as the message is
presented in both English and French, and the display names within the headers
actually say the mail originated from Microsoft Canada.
The malicious executable is
currently not being detected by most major antivirus products tracked on VirusTotal,
so IT managers should be careful that none of their staff members or users
click on the link to get the security update. Websense said it is a low-volume
threat, possibly aimed at a handful of companies.