April 12, 2005 2:19 PM PDT
Microsoft plugs critical holes in Windows
The updates include "critical" fixes to Windows' TCP/IP networking, Internet Explorer, MSN Messenger, Office and Exchange Server. "Critical" is the company's highest severity rating. Three other Windows security holes are rated as "important," the next highest rating.
In each case, Microsoft said the flaws, if exploited, could enable an attacker to take remote control of a vulnerable machine.
In general, Microsoft said it is making progress on security issues. Stephen Toulouse, security program manager with the Microsoft Security Response Center, noted that many of the flaws that were rated critical had lower ratings for those running the latest versions of Microsoft's software.
With the vulnerability in the Exchange Server software for managing e-mail, contact lists and calendars, for example, Toulouse said that it is rated only "moderate" for those running Exchange Server 2003. Similarly, no immediate attention was needed on the Windows flaws for those running the just-released Windows Server 2003 Service Pack 1.
Worming into Exchange?
Atlanta-based Internet Security Systems, which was credited for discovering the Exchange vulnerability last year, said it is concerned that now that the details of the Exchange fix are out there, a worm could be created that exploits the flaw, and such a bug could quickly do damage.
"There is no user interaction required to exploit the vulnerability," said Neel Mehta, team leader of advanced research for ISS' X-Force unit.
Toulouse said it is difficult to say whether the Exchange vulnerability could lead to a new worm.
"It's really hard to speculate on what an attacker might do," he said. He noted that he has not seen any discussion of such a bug, nor has there been any so-called "proof of concept" code that is often a precursor to an actual worm. "What we are doing right now, and what we do after every release, is to watch."
ISS also found the flaw in TCP/IP networking, the standard behind the Internet and other networks. Mehta said it appeared to be more difficult to exploit, but the danger is greater if it were since it is so widely used.
"Every networked Windows computer is using this," Mehta said. "It's not something you can disable. It's not something you can turn off."
With the Internet Explorer bug, Toulouse said that someone who visits a specially configured Web site could then have malicious code executed on their machine. As for the Office vulnerability, Toulouse said that any attack would have to involve someone receiving and opening a maliciously constructed Word file.
In response to the new flaw disclosures, Symantec raised its overall "ThreatCon" security level for the computer industry.
"It is important that both home users and enterprises take proactive steps to deploy these patches," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement. "The vulnerabilities announced by Microsoft today can result in broad exposure to blended threats and worms, as well as denial-of-service attacks."
In addition to those patches, Microsoft is releasing two high-priority upgrades unrelated to security. One is for the Windows Installer and the other is for the Background Intelligent Transfer Service, which Microsoft uses to allow piecemeal downloading of software updates.
The software maker said last week to expect the eight security patches, as well as the other updates, but did not offer details.
In March, the company took a break from its monthly routine of security releases and did not issue any patches. The prior month, Microsoft had a dozen fixes in its regularly scheduled release and later plugged a hole in the digital-rights technology within Windows Media Player.
Microsoft also revamped its technology for removing malicious code, a sort of basic antivirus tool for cleaning up infections. The software now removes Hacker Defender, Mimail and Rbot, as well as new variants of the Berbew, Bropia Gaobot, MyDoom and Sober worms, the company said.
People can get the patches at Microsoft's Web site or set their systems to automatically update.