Security

Microsoft said on Thursday it will issue six patches next week for 15 vulnerabilities, including three critical bulletins affecting Windows and two important Office-related bulletins.

Affected software includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, the company said in an advisory.

November's Patch Tuesday is a contrast to the record number of fixes issued last month--13 bulletins for 34 vulnerabilities.

Updated 2:52 p.m. PST to correct that there will be six patches fixing 15 vulnerabilities.

Tuesday was the biggest Patch Tuesday ever as Microsoft released 13 bulletins for 34 vulnerabilities. But just because Microsoft issues patches, does that mean that users should apply them? Yes, says Ben Greenbaum, senior research manager for Symantec Security.

Greenbaum said that these patches impacted many Microsoft products, including Windows 7 that isn't even out yet.

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.

Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.

The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.

Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.

Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.

The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.

"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.

Related "For the Record" podcast, with Symantec's Ben Greenbaum
Listen now: Download today's podcast

Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.

The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.

Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.

Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.

"The sheer volume of the bulletins and patches is extreme," said Jason Miller, senior data team leader for Shavlik Technologies. "This is really going to affect administrators. It's going to be very challenging because of the time and research that's going to be needed" to patch systems.

Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.

The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.

Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.

The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.

(For more information and analysis from Symantec, listen to my colleague Larry Magid's podcast.)

Update: This story was updated at 2:15 p.m. PDT with additional comment and at 11:47 a.m. PDT with more details and reaction from experts.

Microsoft on Thursday said it will provide a fix next week for zero-day flaws in Microsoft Server Message Block (SMB) and Internet Information Services (IIS) that could allow an attacker to take control of a computer.

Those are just two of the 34 vulnerabilities addressed in 13 bulletins (eight of which are critical and five of which are rated important) that will be fixed during Patch Tuesday, according to a blog post on the announcement. The bulletins affect Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server, the advisory shows.

The SMB flaw was reported a month ago. At the time, Microsoft said it affected Vista, Windows Server 2008, and the "release candidate" version of Windows 7, but not the final version that was completed in July. Windows Server 2008 R2 is not vulnerable, and neither are the earlier Windows XP and Windows 2000 operating systems.

Microsoft, which previously released a temporary fix for the SMB hole, reported the IIS flaw in the File Transfer Protocol in August. Its its advisory says there have been limited attacks that use the IIS flaw exploit code, which was posted on the Milw0rm Web site, according to IDG News Service.

Update 2:56 p.m. PDT: Also on Thursday, Adobe Systems announced that it will release an update Tuesday that will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier on Windows, Macintosh and Unix that has reportedly been exploited in the wild in limited targeted attacks.

"Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected from this exploit," Adobe said in an advisory. "Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible."

Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.

The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.

Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.

Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.

While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.

The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."

McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.

"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."

In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.

Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."

There are already some attacks being seen based on that flaw.

"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.

Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.

As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.

"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.

This is the error message on the Norton support Web site after users reported that the patch failed to install properly.

(Credit: Symantec)

Symantec is providing a fix for customers who got error messages after a patch deployment went awry for some Norton users, the company said on Tuesday.

The problem started last Wednesday when Symantec deployed patches for Norton AntiVirus 2009, Norton Internet Security 2009, and Norton 360 v3 via LiveUpdate. Some customers received error messages saying that there was a problem with the Symantec Service Framework.

The patch, which is supposed to communicate with the hardware to ensure that it is correctly installed, did not handle the response from the hardware properly after it was installed, a company spokeswoman said.

The problem affected a small number of users, or fewer than 1 percent, and most of the customers reporting a problem are using PCs that have been specially configured or customized and are not "out-of-the-box" PCs and "only after reboot," the spokeswoman said.

There were more than 630 messages on the Norton user forum about the topic, a number of which expressed frustration with Symantec and accused the company of not doing enough to keep customers informed about the problem.

"This is insane. I'm looking for other antivirus options now and will soon remove Norton from all three of my machines. Next I'm going to post a review on Epinions advising others to stay far away," wrote one user. "This is garbage and I've had more than enough."

Another user wrote: "Well I just used the Norton Removal Tool for likely the last time. When the browser window with the Norton reinstallation instructions popped up, I chuckled as I closed it out and navigated to a competitor site were I promptly downloaded another AV product."

The company first learned of the problem from posts to the forum last Wednesday and posted messages the next day saying it was investigating the problem. It then provided an official response on Friday saying the problem had been identified, according to the spokeswoman. The fix was posted on Symantec's knowledge base and the forum on Saturday, she said.

Symantec customers can visit this Symantec page to download the fix.

Symantec also set up a link on Tuesday through Microsoft WinQual to help users locate a fix and will make the fix available to customers automatically via LiveUpdate this week, according to the spokeswoman.

The problem comes less than six months after Symantec released a diagnostic patch for some of its older Norton products that did not identify its origin and thus triggered alerts on firewalls. The company blamed human error for the release of the unsigned patch, a program dubbed "PFST.exe."

Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.

The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.

Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.

More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.

As is its practice, Microsoft said last week that the patches were coming.

Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.

"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."

Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.

In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.

"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."

Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.

"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."

Microsoft will issue fixes for five critical holes affecting Windows and a variety of other software on Patch Tuesday next week.

The critical holes, which could allow an attacker to remotely run code on a PC and take control of it, affect Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008, Windows Client for the Mac, Office 2000, XP and 2003, Microsoft Office Small Business Accounting 2006, Visual Studio .NET 2003, Microsoft Internet Security and Acceleration Server 2004 and 2006, and BizTalk Server 2002, according to a Microsoft security advisory released on Thursday.

Four additional vulnerabilities, rated "important," affect Windows and Windows .NET Framework and could allow an attacker to remotely execute code, launch a denial-of-service attack or elevate system privileges, the company said.