November 14, 2006 1:26 PM PST
Microsoft plugs Windows worm holes
As expected, the company issued six security bulletins as part of its monthly patch cycle. Five of the updates were tagged "critical," Microsoft's highest rating of attack risk. One alert, MS06-069, calls out flaws in Adobe Systems' Macromedia Flash Player, which shipped with Windows XP. The others cover vulnerabilities in Microsoft software.
All of Microsoft's fixes address vulnerabilities in software related to its Windows operating system. Three of the security holes could be exploited remotely by an anonymous attacker without the user having to take any action, such as clicking on a link. The remaining five would require people to visit a malicious Web site or open a malicious file for an attack to succeed, according to Microsoft's alerts.
The most urgent issue is a flaw in Microsoft's "Workstation Service" in Windows 2000 and Windows XP, said Amol Sarwate, a research manager at vulnerability management company Qualys. "Attackers can remotely send malicious packets and cause code execution," he said. The problem is described in Microsoft alert MS06-070.
The Workstation Service routes file system and print requests, both local and on a network. It is a key part of Windows that can't be turned off or easily protected by a firewall, Sarwate said. "Really, the only solution is to apply the patch as soon as possible," he said.
The problem is most severe for Windows 2000, said Christopher Budd, a security program manager at Microsoft. "There is the potential risk of a worm for Windows 2000, but you don't have that with Windows XP SP 2," he said. The threat to Windows XP is mitigated because of its firewall and different networking technology, Budd said.
A hacker could exploit the Workstation Service flaw by creating a specially crafted message and sending it to a vulnerable computer. "An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said in its security bulletin, which it rates "critical."
More worm holes
Two other vulnerabilities expose Windows machines to a similar risk of being used to spawn worms. These affect Microsoft's Client Service for NetWare and the NetWare Driver, which let Windows systems access network services on servers running Novell NetWare. However, this software is not installed by default.
"The NetWare software could be turned off. It is just less prevalent," Sarwate said. In security bulletin MS06-066, Microsoft deems the NetWare issues "important," one notch below "critical" in its four-tiered rating scheme.
The WorkStation Service and NetWare flaws are the network security issues addressed by Microsoft's bulletins. The other problems require some form of user action to be exploited and are known as client-side flaws.
The Microsoft Agent, a help tool that succeeded the famous Clippy Office assistant, is flawed in the way it handles certain files, Microsoft said in bulletin MS06-068. Opening a malformed ".acf" file could cause PC compromise, it said.
The WorkStation Service, NetWare and Agent issues had not been disclosed earlier, which means there are no known attacks that exploit these flaws. Some of Microsoft's other fixes, however, are for vulnerabilities that are already being used in attacks.
A "critical" update for Internet Explorer, MS06-067, addresses three vulnerabilities, two of which cybercrooks are already tapping. An expected patch for XML Core Services delivered with bulletin MS06-071 plugs a flaw in that Windows add-on that had also surfaced in cyberattacks.
The IE update also addresses a new flaw, which lies in the way it handles certain HTML, or hypertext markup language, layout combinations, Microsoft said.
"Many of the issues addressed in this month's batch of patches attend to publicly exploited issues," Alfred Huger, a senior director at Symantec Security Response, said in a statement. "Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible."