Microsoft has released its monthly round of patches, including two patches for critical vulnerabilities and one that patches a hole that could become the basis of a widespread computer worm attack. At the same time as the patch release, a Danish company announced additional security holes in Microsoft’s Internet Explorer browser, which has been beaten by a string of vulnerabilities and attacks in recent weeks.
The latest security patches from Redmond, Washington, covered a total of seven holes. The two critical-rated vulnerabilities were a weakness in the Task Scheduler and an HTML help gap that could allow the execution of code in Windows 2000, XP and Server 2003 systems.
The same day Microsoft released its patches, the company’s Explorer browser again was the subject of security warnings from Danish firm Secunia, which rated a set of Active Scripting issues “extremely critical.”
The Explorer problems and patches come as Microsoft’s top officials — Bill Gates and Steve Ballmer — point to improvements in security and better response to issues. But there are concerns among observers that success against security bugs has become unattainable for Microsoft.
“The task is to find vulnerabilities before the bad guys, and that’s a pretty big task,” Gartner research vice president Richard Stiennon told TechNewsWorld. “I’m afraid that just because of the levels of attack and the X number of millions of lines of code, now that task is getting to beinsurmountable.”
Stiennon also said that recent vulnerabilities in Explorer and Windows and the pace at which security holes are exposed means there is a tremendous amount of pressure on a pending Windows XP Service Pack 2 that Microsoft has referenced as a major security improvement.
Microsoft said the two critical security issues addressed with this month’s patches could allow remote execution of code on a victimized user’s machine. The Task Scheduler issue is what is known as a buffer overflow vulnerability, a common method of attack.
The second critical vulnerability involves holes in ShowHelp and HTML Help that would allow an attacker “complete control of an affected system,” according to Microsoft.
The other security issues addressed this month by Microsoft, which started the monthly routine last October to regularize the patching schedule, include vulnerabilities and fixes for Utility Manager, Posix, IIS 4.0, and Windows Shell — all rated “important” by Microsoft.
The other patch released this week, rated “moderate,” was a cumulative security update for Outlook Express e-mail software.
Stiennon, who correctly predicted the MS Blaster worm after disclosure of what was known as the Remote Procedure Call vulnerability in Windows last year, said he was worried about the Task Scheduler issue because of its potential impact.
“It’s running on every desktop, so that’s a problem,” Stiennon said of the task manager hole. “It could mean another round of worms.”
Secunia’s warning on new Explorer vulnerabilities, which add to a long list of flaws that are increasingly being used as the basis of Internet attacks, dealt with four holes that could allow attackers to bypass security restrictions and potentially compromise vulnerable systems, whichinclude fully patched computers with Internet Explorer 6 and Microsoft WindowsXP Service Pack 1.
“Successful exploitation may potentially cause users to open harmful files or do other harmful actions without knowing it,” the Secunia advisory said.
Stiennon said the increase in Explorer vulnerabilities has also coincided with increased threats and awareness of another form of malicious code: spyware. Stiennon said companies are growing more concerned about the silent programs that can track user behavior or worse, with Gartner clientsreporting that 75 percent of their help desk issues involve spyware.
“Spyware is taking advantage of the [vulnerabilities] in Explorer,” Stiennon said. “Any way spyware can use to latch onto a computer, it’s using. Spyware’s going to be the ‘spam’ of this year. Spyware’s going to do to the Web browsing experience what spam did to e-mail, making itsomething you have to do.”