Security Watch

Keeping Track of patches and hacks in the IT security world.

Microsoft to Play Hooky on Patch Tuesday

Microsoft is taking a breather from security, with no security updates coming on this month's Patch Tuesday, March 13.

The company posted a note to that effect on its security bulletin advance notice page on March 8.

Microsoft will still be putting out its monthly updated version of the Microsoft Windows Malicious Software Removal Tool, which will come via Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. The company isn't distributing it with SUS (Software Update Services), however.

Microsoft is also putting out some high-priority updates that aren't related to security, on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services.

There are currently five outstanding zero-day flaws in Microsoft products. eEye Research has them listed on its Zero-Day Tracker.

The most recently reported of the five is a Word 2000 vulnerability that could allow a remote attacker to take over a PC with the rights of a logged-in user. It requires user interaction, such as a user opening a file manually off a Web site or from e-mail as an attachment. McAfee reported this as a vulnerability distinct from previous Word zero-day vulnerabilities, of which there has been a bumper crop lately.

To wit: In February, Microsoft put out a cumulative bulletin with patches for six problems in Word, five of which were rated as critical in the Office 2000 version. They included fixes for a malformed strong vulnerability, malformed data structure flaw, malformed object drawing glitch, malformed function problem and a Word count issue.

Microsoft has acknowledged that the outstanding vulnerability causes a denial of service for Word, but it claims that it's impossible to exploit. eEye notes, however, that with no technical details released, we can't be sure it's not exploitable. Still, the flaw is rated as being of only medium risk.

The other outstanding flaws, all of medium or low risk, are a flaw in Windows MessageBox, an Internet Connection Sharing denial of service, a local denial of service on Microsoft Office 2003 PowerPoint, and an RPC memory exhaustion issue.

Last month's Patch Tuesday witnessed Microsoft's all-time high for security fixes, as the company shipped out a dozen bulletins to fix 20 holes in products, including 11 critical issues in Windows, Office, IE and even its own anti-virus tools.

According to a Microsoft spokesperson, this is the fourth Patch Tuesday sans patches since Microsoft started the monthly update cycle in November 2005.

The spokesperson pointed to Microsoft Security Advisories as being a way for Microsoft to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin. He also pointed to the MSRC Blog, for alerts around public threats.

As far as current open zero-days go, the spokesperson said that after Microsoft has completed its investigations, it will provide a security update, possibly an out-of-cycle update, if it's warranted.

"Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers," he said. "Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product-specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release."