Tuesday, March 6, 2007

Microsoft Patch Day: The Next Generation

Opinion: Welcome to the SP2 era. Will we have a bifurcated patch day? Will Microsoft be able to move any faster?

It's not really the first patch day of the Windows XP Service Pack 2 era. Last month's, Aug. 10, was a few days after the initial release of the massive security-focused update.

But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now we're over a month since Microsoft finalized the "gold" SP2 code, and we may be about to see how they will handle patches in the post-SP2 era.

The biggest issue is how Microsoft prioritizes patches for vulnerabilities that affect only pre-SP2 versions. I agree with a lot of what my colleague Steven J. Vaughan-Nichols has to say on this matter, but I don't share his pessimistic sense. At the very worst, SP2 is now just another version of Windows they have to deal with.

I expect that for some time Microsoft will have to keep Windows XP SP1 and SP2 tracks for security vulnerabilities. In a very important sense, the SP1 track is more similar to the Windows 2000 track than SP2, because Internet Explorer is so different in Windows XP SP2.

The other thing I'm looking out for is whether they move any faster on SP2 vulnerabilities than they have in the past on SP1 and other earlier versions. We have had one important SP2 vulnerability since it was released, the (in)famous drag-and-drop vulnerability. It's not a real killer, but it's a bad one, and it demonstrates an oversight in Microsoft's lockdown of Internet Explorer in Service Pack 2.

One can only imagine that when Microsoft works on the patch for this vulnerability they will discover underlying problems broader than this particular hole. The report accompanying the patch will expose other problems.

But once again I'm optimistic because another thing SP2 does is really, really urge you to turn on Automatic Updates. Some experts are uncomfortable with Automatic Updates. Fine, experts can turn them off, but novices should be running them. Enterprises and other expert-run networks can set up their own Windows Software Update Services servers and test patches while still allowing automatic updates to proceed as soon as they think it prudent.

But in either case I think we can expect that more users of SP2 will be getting updates more quickly. SP2 vulnerabilities will have a harder time getting exploited widely unless they appear as day 0 network worms. The drag-and-drop vulnerability, in spite of Secunia's typically hysterical claims about outside exploits, don't have the potential to spread widely, and require user interaction and a Web site to host them, both of which are brakes on the spread of the attack.

I can't make up my mind about the severity of the drag-and-drop vulnerability. If it's really serious, then I wouldn't expect it this patch day because Microsoft will fix it out of cycle when then can fix it. But if it's not that important, then they may wait until next month to fix it, because it hasn't been that long since it was revealed.

In fact, if I had to wager, I'd bet on more SP1 patches this month and for a while. There are still a bunch of SP1 vulnerabilities out there unpatched, and now that SP2 is done I would hope they would get some more attention.

Microsoft Graphics Bug Threatens Systems

UPDATED: Experts worry that this new JPEG bug can be exploited through an HTML e-mail, allowing the attacker to run any code allowed under the user's permissions. "Very serious," says one, pointing to the chance of copy-cat attacks.

Microsoft Corp. on Tuesday offered patches for two serious vulnerabilities in its products. One of the security breaches—taking advantage of the action from a tweaked image file—compromises a wide range of Microsoft products, including server and client operating systems as well as applications such as e-mail.

However, this "Patch Tuesday," following the August release of Windows XP SP2 (Service Pack 2), appeared to sidestep concerns over whether Microsoft will provide different patches for XP SP1 and XP SP2 installations. The patches released on Tuesday addressed issues with SP1 and other Microsoft applications.

The more serious of the two vulnerabilities allows a specially malformed JPEG graphic file—when viewed in any of a large number of Microsoft products—to compromise the system, allowing execution of any attack code.

The second also allows remote code execution through a bug in the Word Perfect file converter. Microsoft said both bugs were reported privately to the company and had not been revealed until the release of the patch.

The JPEG bug, an error in the GDI+ Type Library, has the potential for widespread damage, as it can be delivered through an HTML e-mail. Once an exploit of the problem runs on a system, it can run any code allowed under the user's permissions.

The advisory for the JPEG bug lists Windows XP; Windows Server 2003; Office XP and 2003; numerous versions of Microsoft Project; Visio and Visual Studio.NET; and many other consumer and professional products affected by the issue, including:

  • The Microsoft .NET Framework version 1.0
  • Microsoft Picture It 2002 (all versions)
  • Microsoft Greetings 2002
  • Microsoft Picture It! version 7.0 (all versions)
  • Microsoft Digital Image Pro version 7.0
  • Microsoft Picture It! version 9 (all versions, including Picture It! library)
  • Microsoft Digital Image Pro version 9
  • Microsoft Digital Image Suite version 9
  • Microsoft Producer for Microsoft Office PowerPoint (all versions)
  • Microsoft Platform SDK Redistributable

    Windows XP SP2 (Service Pack 2) is not affected, but many SP2 users will need to acquire patches for vulnerable applications they use. By default, Windows 98, ME, NT and 2000 are not vulnerable, but any of the vulnerable applications would be vulnerable when running on them.

  • Security experts considered the new graphics vulnerability a real threat.

    Russ Cooper, senior scientist at TruSecure Corp., of Herndon, Va., and editor of the NTBugtraq security mailing list, said he was distressed at the potential for this vulnerability to spread through HTML e-mail. He compared it with the so-called Good Times Virus, a hoax perpetrated a decade ago about a virus users could get simply by reading an e-mail. However, in the case of the JPEG bug, the vulnerability is all too real.

    Cooper also wondered "why XP SP2 contained a revised GDIPLUS.dll [the vulnerable graphics component], which wasn't vulnerable, yet earlier versions waited a month to get theirs."

    Microsoft was unavailable for comment.

    Craig Schmugar, virus research manager at McAfee Avert, called the problem "potentially very serious" due to its ability to run arbitrary code. He noted that McAfee Inc. has seen no proof-of-concept code for either vulnerability announced Tuesday. But he added, "Often, the release of the patch itself leads to exploits, as attackers reverse-engineer the patch code in order to learn what it's fixing. Hopefully, it won't come to that."

    Due to performance considerations, anti-virus products typically don't scan nonexecutable files such as JPEGs, so Schmugar said an IDS (intrusion-detection system) or IPS (intrusion-prevention system) such as McAfee Intercept—which look for behavior such as buffer overflows in a generic manner—offer a better solution.

    This Windows JPEG flaw is the latest in a string of vulnerabilities relating to graphics formats and image-handling libraries in multiple operating systems and browser platforms.

    In August, a security researcher uncovered multiple vulnerabilities in libpng, the PNG (Portable Networks Graphic) library. The flaw required an update to a number of open-source projects, including browsers and image-rendering engines such as Ghostscript.

    Microsoft in late July also released an out-of-order security bulletin to cover two vulnerabilities relating to Internet Explorer's handling of BMP and GIF image files. The flaw could be used for a denial-of-service attack as well as to execute arbitrary code, the Redmond, Wash. Software maker said at the time.

    According to Microsoft's advisory on Tuesday, the bug in the Word Perfect converter version 5.x, also a buffer overflow, requires the attacker to construct a special file and persuade the user to run the Word Perfect converter on the file.

    Once the user does this, attack code within the file could perform any action permitted to the user. If the user were logged on as an administrator, for example, the attack would have full system privileges. Because the user would need to be persuaded to read the file into the program, Microsoft called the problem "important" rather than critical.

    The Word Perfect converter is a component of Microsoft Office 2000; Office XP (2002); Office 2003; and Works Suites 2001, 2002, 2003 and 2004. Links to the appropriate patches for this bug may be found on the advisory page.

    Microsoft Fixes VPN Flaw in XP SP2

    Microsoft has issued a formal fix for a problem in Windows XP Service Pack 2 that appeared almost immediately after the update's release.

    The problem, which affected many VPNusers, causes errors when programs attempt to connect to loop-back addresses other than Service Pack 2 blocks all such addresses; users receive an error message saying that they cannot establish a connection.

    Microsoft had issued a hotfix for the problem last month, but the new update is more thoroughly tested and available to all without having to go through Microsoft Product Support Services.

    Sudden break in the flow of preparation

    I was preparing myself so hard. But as CAPGEMINI is postponed his date so got lazy. I am not a good student buddy. This happens. You can't imagine.... !!!

    Alas! i was prepared

    Capgemini is not coming for campussing today... they've postponed their date. Why man??