October 11, 2005 5:01 PM PDT

Microsoft plugs Windows worm holes

Microsoft on Tuesday issued fixes for 14 flaws in Windows, including a security hole that one expert says is ripe for exploitation by a major worm.

The majority of the vulnerabilities addressed in nine security bulletins from Microsoft require some user interaction for an attack to succeed. That means an attacker would have to trick people into visiting a malicious Web site, clicking on a bad link or opening a malformed file to exploit the security holes.

However, the vulnerabilities rated "critical" may allow a system to be compromised remotely without any user interaction. One such flaw, described in Microsoft's MS05-051 security bulletin, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

"It is a remote system vulnerability that could very easily be turned into a worm," said Marc Maiffret, the chief hacking officer at security specialist eEye Digital Security. "It is very similar to the vulnerability two months ago that resulted in the Zotob worm."

The MSDTC buffer overflow flaw primarily affects computers running Windows 2000. Depending on configuration, it could also be used against a computer with Windows XP with Service Pack 1 or Windows Server 2003, Microsoft said in its advisory.

"Among the critical updates, customers who run older versions of the operating system such as Windows 2000 should prioritize MS05-051 for deployment on those systems," said Stephen Toulouse, a program manager in Microsoft's Security Response Center.

The MS05-051 update also fixes three other bugs in Windows, but these carry varying risk ratings, depending on the operating system. One, deemed critical, is a flaw in a Windows component that handles resource management tasks, called COM+. This security hole is also found in Windows 2000 and Windows XP SP1.

People who run older versions of the operating system are more at risk from the MSTDC and COM+ vulnerabilities, Toulouse said. That goes for the rest of the rest of the 14 flaws tackled by the patches issued Tuesday.

"In general, many of these bulletins have a lower impact in terms of severity and are much more difficult to exploit on newer operating systems such as Windows XP SP2 and Windows Server 2003 SP1," Toulouse said.

Despite being put on the back burner by Microsoft, the older Windows 2000 is still popular among corporations..

Both the MSDTC and COM+ flaws were privately reported to Microsoft by researchers following the company's "responsible disclosure" practices. The software giant said it is not aware of any attacks that exploit the flaws.

Maiffret of eEye said he believes it will be only a matter of days for the first attack code to surface. "There is no technical challenge in writing a worm for the (MSDTC) vulnerability. It really depends if somebody decides to or not," he said. Microsoft's Toulouse said the software giant will be watching for malicious software.

Other risks
Microsoft has labeled two other security alerts as critical. One patch, delivered in MS05-050, fixes a problem in software for streaming media in Windows, called DirectShow. The other, in MS05-052, repairs problems in Internet Explorer similar to those patched in July and August.

The streaming media flaw affects all current versions of Windows. An attacker could exploit the flaw using a malformed media file, Microsoft said. A computer could be compromised when the user opened the file or visited a Web page that hosts the file.

The IE patch cuts links between the browser and other pieces of Microsoft software. The Web browser can inappropriately call on other Windows components, potentially allowing an intruder to commandeer a Windows PC, Microsoft said. The French Security Incident Response Team alerted Microsoft to one of these issues.

Of its six remaining security bulletins, Microsoft tagged four "important"--one notch below critical. These address vulnerabilities in various parts of Windows. One, MS05-048, affects Windows as well as Exchange, Microsoft's e-mail server software, and deals with a component that processes e-mail messages.

Another "important" update aims to repair a problem related to plug-and-play in Windows 2000 and Windows XP. The issue, outlined in MS05-047, cannot be exploited remotely by unauthenticated users, according to Microsoft.

A bug in the same component led two months ago to the spread of the Zotob worm, which took down systems across the United States, including those at cable news station CNN, television network ABC and The New York Times.

Also deemed "important" were bulletin MS05-049, on three vulnerabilities in how Windows deals with certain files and characters, and bulletin MS05-046, which involves a software component that supports Novell NetWare networks.

The last two alerts were given a "moderate" risk rating. One describes an issue with the Network Connection Manager in the 2000, XP and Server 2003 versions of Windows that could cause a system to crash. The update to patch it is delivered in bulletin MS05-045. The other is on a flaw in the Windows FTP client that could allow an attacker to change the location of a file transfer by hosting a malformed file on an FTP server.

Users of Microsoft patching mechanisms, such as Windows Automatic Updates, do not typically need to take action to receive the patches. Microsoft urges other people to download and install the fixes from its Web site.

18 comments

Join the conversation!
Add your comment
WHEW!!!!
That was a close one! I was glad to see that these holes in the
OS were patched cuz they sound pretty darn serious. But then I
thought, how do I know my OS hasn't already been
compromised and my data at risk? I started to sweat bullets,
especially knowing that since there have been years of patches
and fixes to patches and patches to fixes, there will be more to
come. I just know there are still vulnerabilities that will allow
attackers in. But then I realized.......


I have Mac OS X. WHEW!!!!!

Good luck Windozers, this is just another detour on the Billy
Gates ride you are taking. You may actually someday end up in
that wonderful destination of Security and Stability (not to
mention the beautiful landscaping which make the destination
so enjoyable). The exit to that destination is marked as "Switch".
The decision to exit is up to you. Just don't expect Mr. Gates to
slow down to let you off.
Posted by (57 comments )
Reply Link Flag
You must have more time than me
Please refer to the last discussion.

<a class="jive-link-external" href="http://news.cbsi.com/5208-1002-0.html?forumID=1&#38;threadID=10237&#38;messageID=74605&#38;start=-1&#38;reply=true" target="_newWindow">http://news.cbsi.com/5208-1002-0.html?forumID=1&#38;threadID=10237&#38;messageID=74605&#38;start=-1&#38;reply=true</a>

(I just love how you are so brainwashed that you even use the word "Switch".)
Posted by Andrew J Glina (1673 comments )
Link Flag
Turn Off D*mned Services
Disable all but the two dozen or so core services on your Windows computer. When things don't work then turn them back on one by one. You can use the "dependencies" property on Services to see what is dependent on what. Having a bunch of services turned on, like DTC, just provides more opportunity for infection. Turning off unneeded crud will speed up your computer too.

Why doesn't Microsoft build a simple tool that analyzes your computer environment and tells you what can be turned off? And a one-button solution to temporarily turn on services to do an occasional task, like the Windows Installer service? If you aren't on a corporate network the list of needed services is very short compared to the list of total services available. Out of a total of 91 services on my computer I have 63 turned off.
Posted by Stating (869 comments )
Reply Link Flag
Keith j
Maybe you should make a list :)
Posted by SystemsJunky (409 comments )
Link Flag
Asking for a miracle....
The various comments about unnecessary put downs of the
'other' OS , whatever it happens to be are truly wasted effort, and
prove nothing, and achieve nothing. All OS's have good and bad
features, and if yours doesn't do what you want, then try the
alternatives.

How an OS got to be an OS is also irrelevant. No OS was written
clean from the bottom up; all OS developers capitalized on
existing accomplishments. After all, there is NO sense in
reinventing the wheel. But the techniques used to create an OS
don't make any difference, and the developer's intelligence and
skill aren't defined by the percentage of 'original' code in the OS.

But, while all the 'my OS can beat up your OS' comments are
beyond stupid, we will always have the insecure twits who have
to pour out their banal drivel.

The rest of us can just go ahead and use the OS we have, to do
the jobs we want done, the way we want them done. But, unless
you have significant experience in running a variety of OS's,
don't try to tell anyone who's OS is best. And unless what you
have to offer is relevant to the point being discussed within
CNET, just don't bother dumping your comments in the Talkback
forums.

I'll try to follow my own rules to set the pace....
Posted by Earl Benser (4310 comments )
Reply Link Flag
Please Correct...
If you could refrain from mistaking the term "Hacker" for "Cracker" many who read your posts would be especially thankfull. Although it may seem like a minor technicality, it is very important that you do not mix up the two.

Thank you very much, and I look forward to reading more articles!
Posted by (1 comment )
Reply Link Flag
I agree
But I have given up trying to defend the images of hackers. Most do not understand the difference.
Posted by Andrew J Glina (1673 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.