Microsoft has released its latest batch of fixes in this month’s Patch Tuesday announcement, employing a new format that makes it easier for IT administers to single out areas of risk, according to Amol Sarwate, research manager of the vulnerability research lab at Qualys.
The new format doesn’t give users a total count of vulnerabilities, however. For instance, Sarwate told TechNewsWorld, one patch in this release fixes six different vulnerabilities in Internet Explorer — a less-than-transparent accounting of the number of flaws the company is addressing.
Many of the newly uncovered vulnerabilities this time are variations on existing themes: flaws in Internet Explorer, for instance, or proof-of-concept vulnerabilities on which active development is occurring. Perhaps most worrisome — and intriguing, according to at least one security researcher — is a possible vector in SSL (Secure Sockets Layer), which is supposed to be the gold standard for Web site security.
There are four patches rated “critical” that allow for remote execution, always a chief security concern.
Patches are essential for at least two — MS07-031 and MS07-035 — because they are in the core of the operating system, Sarwate said. “They do not require a browser to channel malware — if a user has Windows, then he or she is vulnerable.”
MS07-035, for instance, leaves users vulnerable when parsing HTML (Hypertext Markup Language) or text images. “Malicious content can execute in users’ machines,” Sarwate said.
MS07-033, for its part, distinguishes itself as having the largest number of flaws — six in total — that can leave Internet Explorer open to hack attacks.
Unpatched, MS07-033 can compromise a system if a user merely visits a corrupt Web site. “Another possibility is that a user could click on an ad that is corrupted — in an otherwise safe Web site — and become infected as well,” Chad Harrington, chief technical evangelist at FireEye, told TechNewsWorld.
“Basically, when you launch your browser, MS07-033 can create an instant tunnel through a firewall,” explained Roger Thompson, CTO of Exploit Prevention Labs.
“I expect this and 035 will be targeted by malware writers as soon as possible,” he told TechNewsWorld.
What’s the Problem With IE?
If it seems as though IE flaws are a recurring theme for Microsoft, that’s because they are.
“In many ways, it is the same old, same old,” Mark Loveless, security architect at Vernier Networks, told TechNewsWorld.
The good news is that Microsoft’s reactive process works fairly well, which means it is less likely to issue a slew of code reds — as it used to in the days when huge, well publicized worm attacks threatened the Internet on a regular basis.
Another dubious advantage of IE is that spammers are paying malware writers for their best worms and saving them for zero day exploits. “People aren’t blowing their zero day exploits on goofy worms anymore,” Loveless said. “Rather, they want the worms they do write to keep a low profile in order to remain on computers that much longer.”
Another critical flaw, found in Microsoft’s SSL channel, would allow a hacker to gain control or host a Web site that gives out “bad” security certificates, Sarwate said.
From a technical point of view, this is the most interesting flaw, according to Vernier Networks’ Loveless. “It is interesting because there is only the potential for remote code execution, which means it would be hard to hack.” The fact that it can be hacked at all is what makes it interesting, he explained.
It depends on the platform, FireEye’s Harrington said, noting that the SSL flaw would be hard to remotely execute on Windows 2000 but not on Windows XP. “Of course, it is Windows XP that is much more commonly used.”
That particular flaw is not found in the Vista version, he said.
One moderate vulnerability in the release is specific to Vista, Sarwate said. There have been Vista vulnerabilities before, but they were also found in earlier versions of Windows. “This is the first time there is a vulnerability that only exists in Vista. What this implies is that it is a flaw in the newer core, which was written under Microsoft’s secured computing initiative.”
This flaw allows low-privileged users to access information that should only be accessed by the top-privileged users, he said.
Proof of Concept
One trend that is apparent in this latest group of patches, according to Dave Marcus, security research and communications manager at McAfee Avert Labs, is the that more malware writers are working on exploiting proof-of-concept flaws.
“Three or four of the new patches had pre-existing proof of concept,” Marcus told TechNewsWorld. “We are seeing a lot more of that on a monthly basis — and a lot quicker too, as more malware writers jump to exploit these vulnerabilities.”