Microsoft Corp.s October batch of security patches comes with a terse warning for Windows 2000 users: Pay special attention to MS05-051, a critical bulletin that covers a worm hole in the operating system.
The bulletin, which addresses four different Windows vulnerabilities, creates a “remote, unauthenticated attack vector” on Windows 2000 systems, triggering fears that a network worm attack might be inevitable.
“This is a similar attack vector that could have the same impact as [the Zotob worm],” said Stephen Toulouse, program manager at the Microsoft Security Response Center.
In an interview with Ziff Davis Internet News moments after Microsoft shipped the monthly security updates, Toulouse underlined the need for businesses to apply the MS05-051 bulletin as the highest possible priority.
“Its hard to predict what will happen, but this is one of those vulnerabilities that could be really dangerous, especially for customers running older versions of the operating system,” Toulouse said.
“If youre running Windows 2000, you want to apply this update as fast as possible. The concern is that we could be looking at another Zotob, because the attack vector is the same,” he added.
The update specifically address code execution holes in MSDTC (Microsoft Distributed Transaction Coordinator), the distributed transaction facility built into Windows; and COM+, the next iteration of the Microsoft Component Object Model, which handles resource management tasks.
The two flaws could allow an attacker to take complete control of unpatched Windows 2000 systems without any user action but, on newer operating systems, the risk is limited to denial-of-service or privilege escalation attacks.
Toulouse said officials at the MSRC would pay close attention to security mailing lists to pinpoint possible distribution of proof-of-concept or exploit code for MS05-051.
As expected, Microsoft released nine bulletins with fixes for 14 vulnerabilities, including a “critical” code execution bug in the Internet Explorer browser. Three of the nine bulletins are considered critical, the companys highest severity rating.
The Internet Explorer update, addressed in MS05-052, affects users of Windows 98, Windows Me, Windows 2000, Windows XP (including Service Pack 2) and Windows Server 2003.
It covers remote code execution vulnerability in the way IE instantiates COM objects that are not intended to be instantiated in Internet Explorer.
“An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited the malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system,” the software makers warning said.
Microsoft has been investigating the COM object issue for several months. Back in August, the company released a security advisory to counter the public release of a zero-day exploit targeting IE users.
With the MS05-052 update, Microsoft now sets the kill bit for a list of CLSIDs (Class Identifiers) to block certain COM objects from being accessed through Internet Explorer.
The third critical bulletin, MS05-050, contains patches for an unchecked buffer in Microsoft DirectShow, the default Windows component used for high-quality capture and playback of multimedia streams. DirectShow is integrated with other DirectX technologies.
Malicious hackers could exploit the DirectShow bug to take complete control of an affected system, but Toulouse said some user interaction is required. For example, the victim must be tricked into launching a specially crafted .avi multimedia file for an attack to be successful.
Toulouse also recommended that Windows users pay special attention to MS05-047, which addresses an issue with the PnP (plug and play) service.
The PnP service, which allows the operating system to detect new hardware installed on a system, was exploited in the Zotob worm attack, but the risk is minimized this time around because of significant “defense-in-depth changes” introduced by Microsoft with the MS05-039 bulletin that was released in August.
“Because of that change we introduced a few months ago, this issue is now rated important, instead of critical,” Toulouse said.
The October bulletins also include:
MS05-046: Rated “important,” this bulletin contains fixes for a code execution flaw in the Client or Gateway Service for NetWare. The vulnerability is described as an unchecked buffer in the service, which is used to allow the client machine to access NetWare file, print, and directory services. This service is also called Gateway Service for NetWare on Windows 2000 Server.
MS05-049: Patches for three different code execution holes in Windows Shell. Affected systems include Windows 2000, Windows XP and Windows Server 2003. This bulletin carries an “important” rating.
MS05-048: A fix for an unchecked buffer in Microsoft CDO (Collaboration Data Objects), a component of the operating system that is used to write programs that create or change Internet mail messages. This vulnerability affects Windows users and businesses running the Microsoft Exchange Server.
MS05-045: Updates a denial-of-service vulnerability in the Windows Network Connection Manager. Microsoft described the flaw as an unchecked buffer that could be exploited to cause the component responsible for managing network and remote access connections to stop responding. The Network Connection Manager is an operating system component that provides a means of controlling a systems network connections, such as those seen in the Network and Dial-Up Connections folder.
MS05-044: This update carries a “moderate” rating and addresses a bug in the Windows FTP Client that could allow file transfer location tampering.