Saturday, November 17, 2007

Microsoft Fixes Critical Windows Bug

The November security updates fix the so-called
URI problem, a critical Windows bug that has been exploited
by online criminals.


Please Wait...Microsoft has released its November security
updates, fixing a critical Windows bug that has been exploited
by online criminals.

Microsoft released just two security updates this month, but
security experts say that IT staff will want to install both of
them as quickly as possible. The MS07-061update is particularly
critical because the flaw it repairs has been seen in Web-based
attack code, said Amol Sarwate, manager of Qualys's vulnerability
research lab. "This was a zero day [flaw] that was being used in
the wild by hackers," he said.

The flaw has to do with the way Windows passes data between
applications, using a technology called the URI (Uniform Resource
Identifier) protocol handler. This is the part of Windows that
allows users to launch applications -- an e-mail or instant messaging
client, for example -- by clicking on a Web link. Because Windows
does not perform all of the security checks necessary, hackers
found ways to sneak unauthorized commands into these Web links
and the flaw could be exploited to install unauthorized software
on a victim's PC.

This type of flaw lies in both Windows and the programs being
launched by the Web link and Microsoft had initially said that
it was up to third-party software developers to fix the issue.
It later reversed this position and decided to fix the flaw in
Windows as well. These URI protocol handler problems have turned
up in Adobe, Firefox and Outlook Express.

Microsoft was forced to revise its position on the URI bugs after
researchers discovered that they were far more problematic than
first thought, said Nathan McFeters, a security researcher with
Ernst & Young, who has been studying this problem. "I think that
early on it wasn't clear that this was an issue," he said via e-mail.
"There's really a handful of issues with this URI use and abuse stuff."

Microsoft's patch for this problem is rated critical for Windows XP
and Windows Server 2003 users, but the bug does not affect Windows
2000 or Vista, Microsoft said.

The second vulnerability, rated "important" by Microsoft, has to do
with Windows DNS (Domain Name System) servers, which are used to
exchange information about the location of computers on the Internet.
Attackers could exploit this flaw to redirect victims to malicious
Web sites without their knowledge, something known as a "man in the
middle" attack. "All system administrators should look very closely
at this vulnerability," Sarwate said. "I would have personally rated
it as critical," he said.

Security experts were surprised that Microsoft did not include a patch
for a known vulnerability in some Macrovision antipiracy software that
has been shipping with Windows for the last few years. Microsoft has
said that it plans to patch the problem and that it is aware of
"limited attacks" that exploit this vulnerability to get elevated
privileges on a victim's machine.

The bug lies in the secdrv.sys driver built by Macrovision that ships
with Windows XP, Server 2003 and Vista, but Vista is not vulnerable
to the problem, according to Microsoft.

Macrovision has also published a ...patchpatch for this problem.

Its a "bit worrisome" that Microsoft hasn't pushed out a patch for
the bug, given that Macrovision has already made its fix available,
said Andrew Storms, director of security operations with nCircle Network
Security, via instant message. "However, [it's] understandable that
Microsoft would want to run the patch through its QA [quality assurance]
and software release cycles," he added. "Given the choice between the URI
bug and the Macrovision fix, enterprise security operations teams would
much rather have the URI fix."

Users of Microsoft's WSUS (Windows Server Update Services) update system
had been wondering if they were going to get Tuesday's patches, after a
Microsoft programming error knocked WSUS administration consoles offline
on Sunday and Monday. Microsoft had misnamed an entry in WSUS's database
causing the consoles to crash.

The problem was fixed on Monday, said Bobbie Harder, a Microsoft senior
program manager, in a blog posting. But WSUS servers that synchronized
with Microsoft between 5 p.m. Sunday and 11 a.m. Monday Pacific Time
will need to resynchronize to avoid the problem.

Though she had heard of one user who had to manually updated his WSUS
server, Tuesday's updates went off without a hitch, said Susan Bradley,
a WSUS user who is chief technology officer with Tamiyasu, Smith,
Horn and Braun, Accountancy.

No comments: