Researcher Pokes Holes in Microsoft Patch

A security researcher finds that Microsoft's MS05-001 update does not adequately patch a critical and exploitable flaw; Redmond says this is a new, unrelated vulnerability.

Microsoft Corp.s first software patch for 2005 does not adequately fix the critical vulnerability it was intended to address, according to a warning issued by IT security services firm GeCAD NET.

After testing the patch released earlier this month in the MS05-001 advisory, GeCAD NET security engineer Valentin Avram said he found at least one attack vector that allows the exploit of the HTML Help ActiveX control vulnerability.

The flaw is still exploitable in Windows XP Service Pack 1 or Windows 2000 Service Pack 4, even when fully patched and up-to-date (MS05-001 included), Avram warned. Users of Windows XP SP2 (Service Pack 2) are not vulnerable to the attack method.

GeCAD NET is withholding technical details on the exploit method until a fix is available.

A Microsoft spokeswoman confirmed receipt of the GeCAD NET warning but said this is a new issue that does not challenge the quality of the MS05-001 patch.

"[That update] does protect against the publicly reported vulnerability that Microsoft was made aware of in late December 2004," the spokeswoman said in a statement released to

She said GeCAD NETs publicly reported exploit points to "a different vulnerability than the one addressed in MS05-001."

Microsofts initial investigations confirm that the flaw could be exploited to cause the HTML Help control to execute code on a users computer. "An update for Internet Explorer is currently being developed to address this new vulnerability," the spokeswoman said.

"This update will be released when it has been found to be a quality fix for the vulnerability, either through our monthly release process or an out-of-cycle security update."

Independent security firm Secunia is maintaining a highly critical rating on the IE flaw, which can be exploited by malicious hackers to compromise a users system, conduct cross-site/zone scripting and bypass a security feature in Windows XP SP2.

On patch day this month, Stephen Toulouse, program manager at the Microsoft Security Response Center, said the MS05-001 patch was meant to "mitigate" the risks created by the IE vulnerability until a cumulative browser fix can be properly created and tested.

"This helps mitigate against some of those threats and discussions weve seen during the last week," Toulouse told "This patch specifically prevents the HTML Help Control from being used by remote Web sites out of the Internet zone."

Public exploits have been circulating since December to take advantage of the two flaws. "With the HTML Help patch, it reduces the criticality until we can get the IE fix finished and ready. Instead of being at risk by just visiting a Web page, the user would not have to take action on the page," he said.

Meanwhile, the latest revelation caps a busy week for Microsofts security investigators as several new flaws were revealed for the companys Office productivity suite and MSN chat network.

Hongjun Wu, a researcher at the Institute for Infocomm Research in Singapore, issued an alert for a "serious security flaw" in the way document encryption is implemented in Microsofts Word and Excel products, warning that a widely-used encryption algorithm is being misused by the software company. According to Wu, Microsoft is misusing the RC4 (Rivest Cipher 4) algorithm that is licensed from RSA Data Security.

However, Microsoft officials downplayed the threat on Thursday to, insisting that the reported flaw poses a very low threat for users of the two popular word processing programs.

/zimages/6/28571.gifClick here to read more about the Office Encryption Weakness.

Other warnings on Thursday concerned a new Internet worm attacking users of Microsofts popular MSN Messenger chat network. According to an advisory from F-Secure, the new W32/Bropia-A worm users MSN Messenger to lure users into downloading one of the following files: "Drunk_lol.pif"; "Webcam_004.pif"; "sexy_bedroom.pif"; "naked_party.pif"; or "love_me.pif."

The latest threat comes follows Octobers Funner worm attack and signals a growing trend to use instant messaging as a delivery mechanism for malicious activity.

Editors Note: This story was updated to include information on other recent worms and exploits of Microsoft products.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.