Microsoft Corp. on Thursday announced plans to release eight security bulletins on April 12, including “critical” fixes for flaws in several widely deployed applications.
As part of its advance notice mechanism, the software giant said five high-priority patches would deal only with flaws in the Windows operating system.
Three more bulletins with a maximum severity rating of “critical” will include fixes for the Microsoft Office suite, the MSN Messenger chat program, and Microsoft Exchange, which is widely used in large corporations using Microsoft infrastructure solutions.
Redmond notified enterprise administrators that some of the Windows, Office and Exchange updates will require a restart and will be detectable using the MBSA (Microsoft Baseline Security Analyzer).
The Microsoft Office and Exchange patches can also be detected with the MSBA.
The MSN Messenger update may also require a restart and can be detected with Microsofts EST (Enterprise Scanning Tool).
On April 12, the company will also roll out two non-security high-priority updates for Windows on the Windows Update side.
“These will be distributed to Software Update Services and are not required to install the security updates,” according to the advance notice bulletin.
The monthly update of Microsofts worm removal tool will also be pushed out on Windows Update and the Download Center, but Microsoft stressed that the tool will not be distributed using SUS (Software Update Services).
While Microsoft is withholding technical details on the patches until April 12, there is a growing list of known, unpatched vulnerabilities in Microsoft products.
Next Page: A list of vulnerabilities.
A list of vulnerabilities
These vulnerabilities include:
Finjans Alleged Flaws:
Last November, private security consulting firm Finjan Software triggered a debate on responsible disclosure after it released information on 10 new flaws found in the Windows XP SP2 (Service Pack 2) operating system.
Finjan warned at the time that attackers could “silently and remotely” hijack SP2 machines because of “major flaws” that compromise end-user security.
Finjan CEO Shlomo Touboul told eWEEK.com that full technical details of the vulnerabilities—including proof-of-concept code—were given to Microsoft but that the software giant hurriedly downplayed the risks.
“Our early analysis indicates that Finjans claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2,” the company spokeswoman said.
Office Encryption Weakness:
Hongjun Wu, a researcher at the Institute for Infocomm Research in Singapore, warned that Microsofts misuse of the RC4 (Rivest Cipher 4) algorithm in its Word and Excel products could open the door for malicious hacker attacks.
“[W]hen an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document.
The consequence is disastrous since a lot of information of the document could be recovered easily,” Wu said.
However, Microsoft maintains that the reported flaw poses a very low threat for users of the two popular word processing programs.
“In some cases, an attacker may be able to read the contents of an encrypted file if multiple versions of that file are available to the attacker,” a Microsoft spokeswoman acknowledged, and she urged customers to restrict access to their encrypted Office documents as they are being created and revised, and by saving the document with a new password after making changes.
The company promised to investigate Wus findings and, if necessary, provide a patch at a later date.
Next Page: ActiveX, Media Player and Old School.
ActiveX, Media Player and
HTML Help ActiveX Control Flaw:
This vulnerability was originally reported as a bug in a previously released patch.
According to research outfit GeCAD NET, at least one attack vector could successfully exploit of a known flaw in the HTML Help ActiveX control.
The flaw is still exploitable in Windows XP Service Pack 1 or Windows 2000 Service Pack 4, even when fully patched and up-to-date (MS05-001 included). Users of Windows XP SP2 are not affected.
In late January, Microsoft confirmed GeCAD NETs findings but said this is a new issue that does not challenge the quality of the MS05-001 patch.
A spokeswoman told eWEEK.com that GeCAD NETs publicly reported exploit points to “a different vulnerability” that has not yet been patched.
Windows Media Player 9 Series (Spyware Infection):
Its been almost three months since Microsoft promised a Windows Media Player update to help thwart the threat of spyware infection but, to date, users of the WMP 9 Series remain at risk.
When the issue first surfaced in January, Microsoft officials made it clear that the spyware infection attack scenario did not exploit a vulnerability in the software.
The company later issued an update, but only for the newer WMP 10 software, which is only available on the Windows XP operating system.
When researchers pointed out that WMP 9 users remained vulnerable, Microsoft program manager Marcus Matthias said a fix would be made available at a later date. The issue remains unresolved.
Old-School DoS LAND Attacks:
A month ago, security researcher Dejan Levaja released an advisory to warn that Microsoft newest operating systems can be penetrated by an old-school-type denial-of-service attack.
Levaja discovered that users of Windows Server 2003 and XP Service Pack 2 (with Windows Firewall turned off) could lead to LAND attacks, which is a denial-of-service condition caused by sending a packet to a machine with the source host/port the same as the destination host/port.
The LAND attack scenario was discussed in 1997 by Carnegie Mellons CERT Coordination Center.
Levaja found that a single LAND packet sent to a file server could cause Windows Explorer to freeze on all workstations connected to that server.
“CPU on server goes 100 percent [and] network monitor on the victim server sometimes can not even sniff malicious packet,” Levaja warned.
He said the script could be replayed endlessly to cause a total collapse of the network.
In response, Microsoft said a successful attack could only cause the target computer to perform sluggishly for a short period of time and cannot be exploited to run arbitrary code.
A spokeswoman told eWEEK.com that customers running the Windows Firewall, enabled by default on Windows XP SP2, are not impacted by this issue. In the absence of a patch, she suggested customers adopt TCP/IP hardening practices.
Independent research outfit Secunia recommends that affected users filter traffic with the same IP address as source and destination address.
“High Risk” IE, Outlook Flaws:
The details are scarce, but Microsoft has already confirmed it was investigating a report from eEye Digital Security about a pair of “high risk” flaws in the Internet Explorer and Outlook products.
eEye, which maintains a Web page with basic information on unpatched Microsoft vulnerabilities, said the newest bugs could allow malicious hackers to run a successful exploit from anywhere on the Internet.
“These are client-side vulnerabilities that could allow attacks via a Web browser or the Outlook client. The risk of a zero-day attack is quite high,” eEye chief hacking officer Marc Maiffret said in an interview with eWEEK.com.
The flaws were discovered in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction.
Affected software includes all versions of Windows NT 4.0, Windows 2000 and Windows XP, including SP2.
Secunias advisories database also keeps track of Microsoft product flaws that have not yet been fixed.
Theres also a missing advisory from the batch originally scheduled for February, when Microsoft said it would release 13 bulletins.
At the time, a patch with an “important” rating was withheld at the last minute because it required more quality assurance testing. There were no patches from Microsoft in March.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.