By Ryan Naraine and Jim Wagner
Microsoft on Tuesday issued three security bulletins in order to fix
vulnerabilities in its ISA Server 2000, Exchange Server 2003 and Windows
products as part of its once-a-month schedule for patches.
But it also had to delay issuing a patch for a flaw in the
Internet Explorer (IE) browser, which was publicized over a month ago.
Tuesday’s alerts included a patch for a vulnerability in its ISA Server
2000, which it rated “critical” and could lead to system takeover; it also issued a patch for a “moderate” flaw in Exchange
Server 2003 that could allow a user of Outlook Web Access (OWA) for Exchange
Server 2003 to randomly access another user’s mailbox in Windows.
A third advisory and patch for a flaw with an “important” rating was issued for
Windows with a warning that the flaw could leave users open to arbitrary
code execution.
Stephen Toulouse, program manager at Microsoft’s security response center, declined to say why the IE patch was not issued in the company’s patch schedule this time around.
“The release [of a patch] requires a balance
between time and testing. We’ll only release a patch when it’s
well-engineered and thoroughly tested,” he told internetnews.com.
In November of 2003, Chinese security researcher Liu Die
Yu released
details of five serious IE vulnerabilities that could lead to system
takeover, exposure of sensitive information, cross-site scripting and
security bypass.
Yu also circulated proof-of-concept exploits on several mailing
lists, warning that IE versions 5.0, 5.5 and 6.0 were susceptible to the
vulnerabilities. At the time, independent security consultant Secunia rated
the bugs as ‘extremely critical.’
Although the patch was expected as part of the January release, Microsoft held off. “We are taking that very seriously and we’re proceeding with our investigations,” Toulouse explained. He also stressed that getting the patch right was key.
“An incomplete patch can be worse than no patch at all. Especially if a
faulty patch only ends up serving to alert malicious attackers to the
issue,” Toulouse added.
He said a cumulative patch for IE represented a unique challenge for
patch programmers because the browser was deployed in numerous versions,
languages and on multiple operating systems. “Internet Explorer is
available in five versions. Now, multiply that times all the supported
languages and the different operating systems and you’ll find that we have
to create about 500-odd patches that have to go through a very strict
testing process.”
But Jupiter Research analyst Joe Wilcox said he believes the company had enough time
to get a patch ready. “One and a half months seem like
a very long time to test a patch for a potentially critical update that is
already public. The key here is that the info is already public and if you
look at what happened with the blaster worm, the patch was made available in
July [2003] and, in less than a month, the exploit was unleashed on the
Internet,” Wilcox told internetnews.com.
(Jupiter Research and this publication are owned by the same parent company.)
“If they’re treating [Yu’s] November vulnerability as critical, then the
amount of time to test a patch surprises me. If they’re viewing this as a
non-threatening problem, then the amount of time isn’t a serious
consideration,” Wilcox added.
Toulouse said the process needs to be engineered properly. “We want to make sure we have a proper
patch available for all the languages and all the versions of IE. You can’t
fix one language and not fix another. We’re in a deep investigation on it
and I want to make it clear we absolutely take that report very seriously
and we’re going to take the appropriate action to protect our customers.”
Microsoft also issued a re-release of a patch first issued
in October to correct a problem in the Thai, Hebrew and Arabic versions of
the original release, one that was rated “important” in the company’s ratings system. That patch, which has been tweaked several times,
fixes a vulnerability in the ListBox control and the ComboBox control that
contains a buffer overrun.
The first
advisory for 2004 covers a security vulnerability H.323 filter for
Microsoft Internet Security and Acceleration Server 2000 that could allow an
attacker to overflow a buffer in the Microsoft Firewall Service. “An
attacker who successfully exploited this vulnerability could try to run code
of their choice in the security context of the Microsoft Firewall Service.
This would give the attacker complete control over the system,” the company
warned.
The flaw in the H.323 protocol has also put users of VoIP products from
Cisco and Hewlett Packard at
risk.
Microsoft also issued a fix for a buffer overflow flaw in the data access
component (MDAC), the code that connects users in a database environment. In
this case, one of the MDAC components could be compromised when a user tries
to find out who else is using SQL Server on the network, by broadcasting a
request. An attacker could respond to this request by sending a packet that
causes a buffer overflow in the MDAC component, giving them the same
privileges as the user who initially made the request.
The flaw is not considered critical by Microsoft security experts
because the attacker has to first be on the same subnet
then, the attacker only gains the administrative privileges of the user making the request, not automatic “root” access.
“If the program ran with limited privileges, an attacker would be limited
accordingly,” the security advisory stated. “However, if the program ran
under the local system context, the attacker would have the same level of
permissions.”
The vulnerability affects MDAC 2.5 and 2.6 in Windows 2000 and SQL Server
2000, MDAC 2.7 in Windows XP and MDAC 2.8 in Windows Server 2003, both the
32- and 64-bit versions. This is the second time in recent months that
Microsoft has needed to patch its MDAC; in August, an identical flaw was reported affecting MDAC 2.5, 2.6 and 2.7,
though it didn’t affect version 2.8.
On Tuesday, a third patch for Exchange Server 2003 was also released to
fix a privilege escalation issue with front-end servers that are running
Outlook Web Access for Exchange Server 2003.
Patches and more information on the January patches are available
here.