Patch Tuesday Fixes 10 Vulnerabilities
"Despite having a dedicated day to focus on Microsoft patches, network administrators are still faced with a double whammy," said Mitchell Ashley, CTO and vice president of customer experience at StillSecure. "The window of time from when patches are released to when an exploit is readily available is rapidly shrinking."
04/12/06 7:48 AM PT
Microsoft's Patch Tuesday issued a slew of fixes in its April release, most of which focused on browser flaws. The software giant's monthly security update issued five patches in all, including three "critical," one "moderate" and one "important" patch.
Ten vulnerabilities in all were addressed in the cumulative fix. Of special note, this month's patch includes a remedy for the highly publicized "createTextRange()" flaw, along with fixes for HTML parsing errors, script executions and address bar spoofing issues.
These flaws could result in a remote code execution risk, allowing a hacker to take control of a victim's computer, according to Microsoft, though an attacker would have to create a malicious Web site and entice people to visit it in order to gain access to the PC.
Hackers Plan Ahead
Thanks to the schedule Microsoft has provided the market through Patch Tuesday, network administrators are able to more effectively plan their patching cycles, said Mitchell Ashley, CTO and vice president of customer experience at StillSecure. Unfortunately, he added, hackers can more effectively plan their attacks as well.
"Despite having a dedicated day to focus on Microsoft patches, network administrators are still faced with a double whammy," Ashley told TechNewsWorld. "The window of time from when patches are released to when an exploit is readily available is rapidly shrinking. Plus, networks are growing more complex with new kinds of devices like PDAs so more time is required to manage the vulnerability and patching processes."
The createTextRange() flaw caused a stir in late March. Rated extremely critical, the flaw had the potential to impact thousands of users because it applied to frequently used radio buttons. A radio button is a form field that presents the user with a selection that can be chosen by clicking on a button.
Malware writers were exploiting the vulnerability to put spyware and other malicious code on victims' PCs before Microsoft issued a patch. Security firm eEye Digital Security said its temporary fix was downloaded by 156,000 customers from the time it was discovered until Microsoft issued its own fix. The IE update covers all versions of the operating system.
Microsoft said only the createTextRange() flaw was exploited, but Symantec reported that three of the flaws were being exploited before Microsoft released its patch. Security researchers expect additional attacks to follow.
Microsoft also issued critical updates for a flaw in the execution of the RDS.Dataspace ActiveX control and for a vulnerability in Windows Explorer's handling of COM objects. Attackers could make Explorer fail by visiting a specially designed site. All versions of Windows are affected by these critical flaws.
Other fixes in this patch cycle include an "important" update that addresses issues with how Outlook 5.5 and 6 handle Windows Address Book files. This vulnerability would allow an attacker to install programs, view, change or delete data, or create new accounts with full user rights, Microsoft said in its advisory.
Taking Accurate Inventory
Planning a network-wide restart requires extra scheduling on behalf of the IT staff, increasing the pressure to secure the network in a timely manner without any business disruptions, Ashley noted.
"One suggestion for decreasing these time-to-patch sensitivities is to take an accurate inventory of the devices on the network, who is using them, and what systems they are running prior to Patch Tuesday's announcement," Ashley said. "Another is to deploy multiple layers of security including intrusion detection and prevention (IDS/IPS), vulnerability management, and network access control, in case devices were overlooked or a security update was missed."