Microsoft is probably glad its latest monthly round of software patches is relatively mundane, with three separate holes in Outlook 2002, MSN Messenger and Windows Server 2000 service packs all rated as medium-level threats.
There was some concern that the Outlook 2002 hole — addressed in an Office security update (Service Pack 3) — actually might be more of a threat and that the Messenger vulnerability could allow a significant instant messaging-based attack.
Still, after skipping a December patch and delaying an Internet Explorer fix with a lighter-than-expected January patch, the company’s software has been the target of a growing number of worms and viruses. The quiet March patches could be a welcome departure for Microsoft.
“It’s not anything earth-shattering,” iDefense director of vulnerability intelligence Sunil James told TechNewsWorld. “The only really big thing out of this is that Office XP Service Pack 3 came out.”
Mild Rating Can Change
The Outlook issue addressed this week by Microsoft affects Office XP and Outlook 2002 users, Microsoft said. With a severity rating of “important,” Microsoft said the vulnerability — caused by the parsing of specially crafted mailto URLs by Outlook 2002 — could allow Internet Explorer to execute script code on an affected system.
The attacker would have to host a malicious Web site to exploit the vulnerability and dupe a user — a tactic on the rise among spammers, virus writers and others.
An attacker also could create an HTML e-mail message to exploit the vulnerability and trick a user into viewing the HTML message. After a user has visited a malicious Web site or viewed the HTML message, the hole could allow the malware writer to have file access and run arbitrary code, Microsoft said.
James, whose company iDefense provided information on the Outlook security issue, reported that iDefense rated the gap as one of medium severity. However, the security expert added, the rating could change as a result of ongoing testing of the vulnerability.
Instant Messaging at Risk
A second vulnerability addressed by Microsoft in this month’s round of fixes lies in MSN Messenger 6.0 and 6.1 — a hole rated “moderate” by Microsoft that involves the way the instant-messaging software handles a file request.
Microsoft said an attacker could exploit the vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker could view a file on the hard drive without the user’s knowledge as long as the attacker knew the location of the file and the user had read-access to the file.
Security experts have long warned about the dangers of instant messaging as a platform for cybercrime and malicious code. However, Microsoft referred to several mitigating factors: An attacker would have to know the user’s sign-on name; the user still could block messages from anonymous users to avoid attack; and the attacker could access only files to which a user had read-access — restricted privileges would limit file access.
The third vulnerability addressed by this month’s patch, also “moderate,” is for Windows 2000 service packs 2, 3 and 4. Although not installed by default, there is vulnerability in the way Windows Media Station Service and Windows Media Monitor Service handle TCP/IP connections.
Specifically, a specially crafted sequence of TCP/IP packets from a remote user to the listening port of the Windows Media Services could stop the program from responding to requests, and no additional connections could be made. The service would have to be restarted to regain functionality, Microsoft said.
While it is credited with taking tangible steps to improve security, Microsoft still faces an uphill battle to turn the security tide for its software, which is targeted both because of its widespread use and because of fundamental security flaws now being addressed in the updates.
The last few months have brought a seemingly endless onslaught of viruses and worms, with at least two Fortune 500 companies hit by last week’s “worm war” caused by variants from different virus writers.
Gartner vice president Richard Stiennon told TechNewsWorld that although there is value in a predictable patching process, Microsoft is too dependent on vulnerability information not getting disclosed.
“Microsoft should focus more on making better code,” Stiennon said. “They’re not going to control information.”
Despite criticism that Microsoft has left users more vulnerable by holding off on fixes in between the monthly releases, the second Tuesday of the month is starting to synch with administrators, iDefense’s James said.
“I think as people get more and more accustomed to the monthly patching, the more easy it is to deploy resources for patching and deal with things that get broken or things that can conflict as a result of patching, it is definitely helping,” James said.
“Over the next year, you’ll see [Microsoft] continually improve the patches and improve the information in the patches as well,” he added.