Microsoft kept to its schedule in rolling out its October “Patch Tuesday” updates, which included four “critical” fixes — two deemed “important” — that in total address nine flaws. The security updates range from crucial patches for the Kodak Image Viewer to Microsoft’s Outlook Express and Windows Mail applications to Word to an RPC (remote procedure code) flaw.
Also among the selection of patches was a cumulative security update to correct several vulnerabilities in the company’s Internet Explorer Web browser. In addition, a repair was included for Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 that had been pulled from the bundle of updates released in September.
A previously announced patch to repair an unidentified flaw in Windows 2000 and Windows Server 2003 that made the programs vulnerable to spoofing, an attempt by hackers to gain access to a system by masquerading as an authorized user, was dropped from the final release. Microsoft removed it due to a “quality control issue,” the company said.
In addition to the security updates, Microsoft also released its monthly update for Microsoft Windows Malicious Software Removal Tool as well as three high-priority but non-security-related patches and a high-priority Windows update.
“Patching systems is very important,” Natalie Lambert, a Forrester Research analyst, told TechNewsWorld. “Patch management is still a top concern for many IT folks. IT profession[als] recognize that patching systems will best protect against malicious code in the wild.”
The four updates marked critical all run the risk of allowing cyber-criminals to remotely execute code on a user’s system.
The cumulative security fix for Internet Explorer (IE) repairs four flaws — three that had been privately reported and one that was publicly disclosed. The most serious of the bugs could permit someone to remotely execute code on an affected system, possibly via an online attack. Due to the popular use of IE, this patch should be considered essential for everyone from system administrators on down to the average user. The update is recommended for those running IE 5.01, 5 and 7 on Windows 2000, XP, Server 2003 and Vista.
The Word patch is rated as a critical fix and is intended for versions of the program installed with Office 2000 and updated to Service Pack 3 (SP3), Office XP with SP3, and Microsoft Office 2004 for Mac. However, the patch is rated as “important” for users with more recent versions of Word, meaning they should still install the fix. Hackers can exploit the flaw when users open a maliciously crafted Word document. The fix modifies the way the application handles these specially crafted files. Users with accounts configured to provide fewer user rights on the system could be less impacted than those with administrative-level rights.
With the Kodak Image Viewer, which handles specifically crafted image files, the threat could be lessened on machines whose user accounts are configured to have fewer rights on the system than those who operate with administrative rights, according to Microsoft.
The last critical update affects Outlook Express (OE) users with versions 5.5 and 6 as well as Windows Mail users running Windows 2000, XP and Server 2003. The same flaw in the Vista version of Windows Mail is listed as “important.” The patch corrects a problem that occurs due to an incorrectly handled malformed NNTP (network news transfer protocol) response. An attacker, Microsoft said, could exploit the vulnerability when users visit specially crafted Web sites.
Next on the list, the RPC service fix, rated as “important,” contains a denial of service (DoS) vulnerability that is triggered when there is a failure in communicating with the NTLM (NT LAN management) security provider when performing authentication of RPC requests.
The sixth patch for Windows SharePoint Service 3.0 and Office SharePoint Server 2007 is of particular importance for those running Microsoft Office 2000 SP3, Microsoft Office XP SP3 and Microsoft Office for Mac, but does not affect Microsoft Office 2003 SP2 and SP3 users or those with the latest version of the productivity suite, Microsoft Office 2007. Opening a specially crafted Word file could enable an attacker to run arbitrary script to modify a user’s cache and result in the disclosure of information on the affected workstation.
Patch It or Delete It
Users, whether of the PC or Mac, who fail to install these and any other recommended patches open themselves to the risk that the flaws could be exploited, Graham Cluley, senior technology consultant for Sophos, told TechNewsWorld.
PCs infected with malware could divulge the user’s personal information and make it easier for cyber-criminals to steal their identities, spew out spam to millions of people or launch a distributed denial-of-service attack against innocent Web sites. Others can also be exploited by phishing Web sites and e-mails.
Not only should the patches be installed, but users should make sure they are downloaded as quickly as possible, because cyber-crooks act quickly developing exploits once a vulnerability is made public, Cluley explained.
“It is essential that firms and home users alike act quickly to ensure that their computers are properly protected against these flaws. In the past it hasn’t taken long for cyber-criminals to exploit recently announced vulnerabilities,” he pointed out.
“If Microsoft is prepared to stand up and admit to serious security flaws in its software, then it is sensible for the world to listen and take action,” he added.
For users who don’t use Outlook Express and Windows Mail, SharePoint or any other program addressed in a patch, the wisest courses to take are to either install the patch anyway or uninstall the program from the computer, Cluley noted.
“It doesn’t make sense to leave unpatched applications on your PC even if you don’t think that you use them,” he continued. “Make a choice now — patch them or uninstall them.”
For employees unsure about the SharePoint vulnerability and if it affects them, Cluley advised them to contact their IT department, which “should know whether you are at risk from [the SharePoint] vulnerability or not.”
With the stream of bug fixes and emergency security patches continuing to flood in unabated every month, including some for the “much-vaunted Windows Vista,” Graham had some advice for enterprise users.
“All organizations should roll out these patches as a matter of urgency,” he said, “as some of them could enable hackers to access data on a vulnerable PC or run malicious code.”
However, even that is not a guarantee of protection, however, as many firms could still be at risk if they allow guests, business partners or customers to bring unpatched machines into the company and connect to the network, Cluley stated.
“What is becoming clear is that a large number of companies face an ongoing struggle to ensure that all PCs are successfully patched against emerging vulnerabilities. This is because some machines may be incorrectly configured to receive updates, while others may not be connected to the network at the time of the rollout,” he said.
Though it may seem like a straightforward process, installing the latest security patches from Microsoft is easier said than done for many businesses, especially if they have a regular stream of visitors tapping into their network. It does not matter whether they use an employee’s desktop PC or a customer’s laptop — an unpatched machine represents a possible avenue for a cyber-attack, Graham warned.
“Network Access Control can help prevent this from becoming a reality by giving businesses the ability to control who and what is connecting to a network. If a machine hasn’t had the correct patches installed, you can prevent it from causing any harm to the rest of your organization by blocking its access to the network or quarantining the machine until it conforms with company IT policy,” he concluded.