Someone at Microsoft must have wanted to clean house so they could go on vacation when school let out. The June Patch Tuesday contains a large list of vulnerabilities that seem, at least at first glance, to be severe and scary.
And yet this will probably become like most of the other patch days, even for those with many “critical” vulnerabilities.
Responsible individuals and organizations that apply the updates or at least the workarounds and have other reasonable security precautions in place will be perfectly safe.
For many of the vulnerabilities patched June 13 the mitigating factors are significant enough that theyre not all that big a worry.
For instance, at first I was scared of MS06-032, “Vulnerability in TCP/IP Could Allow Remote Code Execution (917953),” because it smelled of a network worm, but in fact its probably not going to amount to much.
It relies on a feature (IP source routing) that is not enabled by default on any version of Windows. Furthermore, any firewall would probably block the IP features through which the attacks are performed. And some of the bugs, like the SMB problem, require local access to exploit—yawn!
Speaking of security software, it seems to me that any up-to-date anti-virus product on the desktop or any network IPS (intrusion prevention system) would be able to block many of these attacks, and most of them probably already are blocking them. Consider the vulnerabilities in PowerPoint and Word, both of which require the victim to open a file that exploits the vulnerability.
All anti-virus software opens and scans these files already as they come in through e-mail or hit the file system. I bet most of these programs already detect these attacks. I know Ive seen anti-virus programs detect vulnerability-based attacks before, not just plain macro malware. MS06-024, “Vulnerability in Windows Media Player Could Allow Remote Code Execution,” is another candidate for such protection since it requires that the user open a malicious file.
Anti-virus programs could also protect against the new vulnerabilities in ART and PNG files, although I wouldnt assume that anti-virus software would check all file types, including these. Ill have to check on this with vendors.
And most modern desktop anti-virus programs incorporate what is effectively an IPS looking for, among many other things, attacks on known vulnerabilities. Such software is in a position to stop MS06-023, “Vulnerability in Microsoft JScript Could Allow Remote Code Execution,” and likely will.
Network IPS can also block such attacks, and more quickly than you could responsibly deploy patches to a large number of systems. I quickly got a notice from Third Brigade that its IPS appliances blocked the attacks described by Microsoft.
There are other protections in Windows and other software that could impede exploitation of these vulnerabilities. Some of them perform stack-based overflows, and therefore stand a chance of being blocked in Windows XP Service Pack 2 and 2003 SP1 (on hardware that supports the NX bit). And IPS software can often block overflows generically, especially in programs like Internet Explorer that its monitoring carefully.
As frustrating as these patch days can be, theres reason to feel optimistic about security. If you take the money and time to protect your systems, and especially if you are able to determine which vulnerabilities require your immediate attention, you can protect your systems very effectively.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]