Microsoft Patch Day Plugs 3

At Microsoft’s monthly Patch Tuesday, security officials announced they fixed three critical vulnerabilities.

The vulnerabilities open the door for remote code execution by malware writers, allowing them to completely take over the user’s machine. Once accomplished they would have full administrative rights to view, change or delete data on the hard drive.

The first is a critical font-parsing vulnerability in Microsoft Word affecting Microsoft 2000/XP and Microsoft Works 2000/2001/2002/2003/2004 users. The vulnerability can be exploited if a user opens a specially crafted Word document, which would install a malicious program onto the computer.

Security officials said the vulnerability doesn’t extend to people who, by default, use Word as their e-mail editor in Outlook. The main risk, they add, is to workstations and terminals, not servers, and was corrected by modifying the way software validates the length of a message before it’s sent to the allocated buffer.

The second security bulletin (MS05-036) addresses a critical vulnerability in Microsoft’s color management module, affecting users on the Windows XP/2000/98/ME and Windows Server 2003 platforms.

The module provides consistent color mappings between devices and applications and was corrected by modifying the way it passed industry standard color management information to the buffer.

Officials said it has received information that the vulnerability was being exploited in the wild before they were able to come up with the fix, although information on the vulnerability wasn’t publicized before the security bulletins were released today.

The third critical vulnerability, a breach in the JView Profiler affecting Internet Explorer 5 and 6, as well as Windows Server 2003 for Itanium-based systems. The JView Profiler is the debugger interface for Microsoft’s Java virtual machine, the component that lets Web surfers view Java-based applications and applets.

The vulnerability occurs when IE tries to run the JView Profiler COM object as an ActiveX control, which could cause system memory corruption and allow the malware writer to insert their own code or cause IE to crash. Officials said this vulnerability, like the color management module weakness, is being exploited.

Brian Grayek, CTO at security vendor Preventsys, said the Word vulnerability is the most potentially damaging in this month’s patch update. The old adage where the hacker will pick the most popular operating system or most popular browser also applies to the most popular application.

“With Word, you’ve got to know of a lot of people out there that are not going to be quite as quick to patch their system; we’re talking mostly home users out there,” he said. “With the Internet Explorer [vulnerability] then you’re talking about a real close race for second place.”

Officials at security firm StillSecure warned Microsoft users about an increased number of hacker attacks surrounding Patch Tuesday, as more and more people become aware of the once-a-month Microsoft update. A new mechanism for getting malware into the computer, they said, is for hackers to create fake Microsoft security bulletins.

“The bulletins, spammed via e-mail, try to con users into downloading a new Microsoft security update,” the advisory read. “Real bulletins don’t link directly to downloadable binaries; instead they link to a download site located at www.microsoft.com.”