After two ho-hum months we all knew a more significant patch day was coming in July. By the time the next one comes around, Windows XP Service Pack 2 may have gone “gold,” changing the landscape somewhat. But there still may be patches, even in August.
I took note of the fact that none of the recent updates—neither those on the recent Patch Tuesday nor the “configuration change” a week or two earlier—showed up for Windows XP SP2 users. And none of the attack code I tested on SP2 for those vulnerabilities worked. There were some claims that the shell API update (MS04-024) didnt work, but as best I can tell, these claims have been discredited.
The two critical updates got most of the attention from analysts and the press, but I was more interested in MS04-024, which addresses a vulnerability that has been known for some time to researchers, and for which proof-of-concept attack code had long been available. On Microsofts conference call about the updates, several callers asked what I had asked: Why was MS04-024 only deemed “important” and not “critical”? The companys response was that an exploit of the shell API bug required user intervention to invoke, and that it is not “wormable.” Im really not sure this is the case, but in any event, dont believe Microsoft: Treat this one as critical.
And while they called MS04-022—aka “Vulnerability in Task Scheduler Could Allow Code Execution”—”critical,” Ive seen research to indicate that this vulnerability may be easier to exploit than reported. Turns out browsing a directory in Windows Explorer in effect invokes the same vulnerable DLL in order to render the proper icon for a .job file (a Task Scheduler file). In any event, “critical” is “critical”—theres no “super critical”—so its not like Microsoft underrated it.
This Task Manager bug and the IIS4 bug in MS04-021 are quite serious, and even researchers learned about them for the first time on Tuesday—at least as far as we know. There wont be any day-zero attacks on these. In fact, I think the severity of the IIS4 problem is being overstated since: a) IIS4 is a dying product and soon wont have any support at all, so only a fool would run it; and b) its not vulnerable in the default configuration.
From what I see in security scuttlebutt circles, Microsoft took out the two biggest unpatched threats out there with MS04-024 and the “configuration change” earlier in the month that set the “kill bit” on the ADODB.Stream interface. There are other threats out there, including some that can potentially execute arbitrary code, although thats not proven. The help-related bugs patched in MS04-023 were also long-known.
If Microsofts response from next month on is to say “SP2” to every threat that comes along, then they have a huge burden to get SP2 out there as widely as possible. I want to see it at my supermarket checkout, in the bag with my Sunday paper. And they better give a copy to every kid in every school. Lots of us have broadband now, but its too big to expect people to download.
I mentioned that none of the attacks recently patched worked on SP2, but there are other attacks out there. Most of them are targeted at the shipping versions of Windows and Internet Explorer, which is pretty reasonable from the research standpoint, but I know that theyre migrating to SP2, just like everyone should. Ive tried to test a bunch of them on SP2 and found one that appears to work. It involves inserting illegitimate commands into an onmousedown handler, and the potential for doing real damage with it is unclear.
Very few actual day-zero real-world attacks have occurred and almost all the attacks we see are in fact combinations of exploits. This is all the more embarrassing for Microsoft because it means two or more problems werent fixed in time. This sort of thing becomes possible when Microsoft takes many months to fix problems that the whole of the security community knows about. SP2 could change things, but Ill be surprised if the monthly Patch Day and all the excitement that goes with it die off.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer