After releasing 10 security bulletins in June, Microsoft appears to be back to enjoying the summer. The software giant released only three security bulletins for July. While rated critical, none of the updates appear to pose highly dangerous threats, and only one has seen active exploitation so far.
Details
Microsoft released three security bulletins for July: MS05-035, MS05-036, and MS05-037. However, of the three critical bulletins that address remote code execution threats, only one really appears important at the moment.
In addition, MS05-033 recently underwent a major revision (version 2.0). The change isn’t due to any problem discovered in the initial release; it’s simply a notification of the availability of a security update for Services for UNIX 2.0 and Services for UNIX 2.1.
MS05-035
Microsoft Security Bulletin MS05-035, “Vulnerability in Microsoft Word Could Allow Remote Code Execution,” which replaces MS05-023, is probably the most important of the three bulletins. (However, Microsoft has rated this threat as critical only for Word 2000.) The font-parsing vulnerability can permit remote code execution in some circumstances (CAN-2005-0564).
This is a newly discovered, not publicly disclosed vulnerability. According to Microsoft, no one is currently exploiting it in the wild.
Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com
Applicability
* Word 2000
* Word 2002
* Microsoft Works Suite 2000
* Microsoft Works Suite 2001
* Microsoft Works Suite 2002
* Microsoft Works Suite 2003
* Microsoft Works Suite 2004
Word 2003 and Word 2003 Viewer are not vulnerable. Microsoft hasn’t tested versions earlier than Word 2000 for this vulnerability.
Risk level
Microsoft has rated this vulnerability as critical for Microsoft Word 2000 and all affected versions of Microsoft Works Suite. Microsoft has rated it an important threat for Word 2002.
Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following the best practice of running the application with the lowest possible privilege helps reduce the threat. In addition, a user must actually open the message in Word; merely opening an e-mail that has the malicious attachment won’t trigger the attack.
Fix
Apply the update. The Microsoft Baseline Security Analyzer (MBSA) 1.2.1 will report if an update is necessary. MBSA 2.0 will also detect the problem; however, it doesn’t support Microsoft Office 2000. The Systems Management Server (SMS) does detect the problem in some instances, and it can deploy the update. As a workaround, don’t open Word documents from an unknown source.
MS05-036
Microsoft Security Bulletin MS05-036, “Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution,” gets a high-risk rating because the threat allows remote code execution and would be difficult to detect (CAN-2005-1219).
This is due to a flaw in the way the module handles International Color Consortium (ICC) profile format tag validation. It requires a would-be attacker to generate a special image file that he or she could place on a Web site or in an e-mail attachment.
Applicability
* Windows 2000 Service Pack 4
* All versions of Windows XP (including SP2 and 64-bit editions)
* All versions of Windows Server 2003 (including Itanium editions)
* Windows 98
* Windows SE
* Windows ME
Other versions, such as Windows NT, are vulnerable, but Microsoft no longer supports them.
Risk level
For Windows 98, Windows SE, and Windows ME, Microsoft has rated MS05-036 as an important threat. It is a critical threat for all affected systems.
Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following the best practice of running the application with the lowest possible privilege helps reduce the threat. In addition, a user must visit a malicious Web site.
Fix
Apply the update. MSBA 1.2.1 and 2.0 will detect whether an update is necessary. SMS can detect the problem and help deploy the update. According to Microsoft, there are no known workarounds.
MS05-037
Microsoft Security Bulletin MS05-037, “Vulnerability in JView Profiler Could Allow Remote Code Execution,” is a new, publicly known vulnerability in Internet Explorer related to the JView Profiler COM object Javaprxy.dll (CAN-2005-2087). While this is a newly discovered vulnerability, attackers are actively exploiting it as this time.
Applicability
* Internet Explorer 5.01 SP4
* Internet Explorer 6
* Internet Explorer 6 SP1
* Internet Explorer 5.5 SP2
Risk level
MS05-037 is a critical threat for all affected versions except for IE 6 for Windows Server 2003 and Windows Server 2003 SP1. For these versions, it is only a moderate threat.
Mitigating factors
An attacker could only gain the privileges of the vulnerable user. Following the best practice of running the application with the lowest possible privilege helps reduce the threat.
IE’s Restricted Sites Zone should block an attempted attack in HTML e-mails. The only other way to conduct an attack is to entice the user to a malicious Web site.
In addition, the Microsoft Java Virtual Machine (JVM) is not part of the default installation for Windows XP SP1, Windows XP SP2, Windows Server 2003, or Windows Server 2003 SP1.
Fix
Apply the update. MSBA 1.2.1 and 2.0 will detect whether an update is necessary. SMS can detect the problem and help deploy the update.
Updated in July, Microsoft Security Advisory 903144, “A COM Object (Javaprxy.dll) Could Cause Internet Explorer to Unexpectedly Exit,” fixed this problem. If you applied the advisory’s patch, you can ignore this bulletin. The patch, which sets a kill bit, doesn’t alter the operation of the software.
As a workaround, change IE’s Internet and intranet security zone settings to high, which causes IE to prompt the user before running ActiveX code. You can also just disable ActiveX controls.
Another workaround is to disable Javaprxy.dll, which blocks the use of Java code. You can find instructions for this method as well as additional ways to restrict JVM to eliminate the threat in the security bulletin.
Final word
I must admit that MS05-036, the Color Management Module threat, has somewhat confused me: Microsoft states both that it isn’t a publicly known threat but that attackers are actively exploiting it. Somehow that doesn’t quite make sense to me—but it could just be a minor editing glitch.
The impact of the other two threats doesn’t appear too great to me. Then again, I don’t run ActiveX code, and I never open .doc files sent by anyone I don’t know really well.
I also don’t open HTML e-mails, click attachments, or visit sites to which strangers direct me. I consider these reasonable security practices, and I hope many others follow the same guidelines, which should greatly reduce the impact of these threats.
All in all, I suspect that these threats—although correctly rated as critical because they permit remote code execution—will have a very limited impact.
Also watch for …
* Remember Sasser and all the excitement over catching the perp? Well, I believe I was one of the people who pointed out that German laws on this sort of thing were so lenient as to be meaningless. A German judge recently handed down the punishment to Sven Jaschan, the confessed author of the Sasser worm, for causing a likely million dollars worth of damage.
His punishment? A 21-month suspended sentence and 30 hours of community service. But the good news is that Microsoft’s Anti-Virus Reward Program will pay out $250,000 to the two people who helped catch him. I applaud Redmond for the powerful message it’s sending to hackers: Do something bad, and you better not brag about it!
* Authorities recently arrested a Florida man and charged him with unauthorized network use for using a homeowner’s unsecured wireless network to connect his laptop to the Web while sitting in his car. This is apparently the first arrest for unauthorized Wi-Fi access.
But if zero security features are present on a wireless network, how do you know the person would object to sharing his or her bandwidth? The charges don’t include hacking, data theft, or causing any damage—just using unsecured bandwidth. And how is that different from sitting outside one of the many businesses that run open wireless networks?
* If you use PDF files, don’t think that you can just black out information you want to keep private. For example, check out this PDF copy of an indictment for computer hacking against U.S. government sites (if no one has altered it yet). In the version still online as of this article’s publication (July 18, 2005), the authors had blacked out the site locations, indicating that someone apparently thought it was sensitive information. However, a simple block copy from the PDF document to a text or word-processor application removes the ethereal magic marker and displays the addresses.
* If you wondered why the Microsoft AntiSpyware utility doesn’t report a lot of software you probably don’t want on your machine, it might have something to do with the company’s mergers and acquisitions activity, at least according to a recent report about why the utility no longer considers Claria adware as spyware. It’s definitely a timely change, considering recent reports that Microsoft may be contemplating a purchase of Claria.
* And finally, beware: According to a News.com report, exploit code for vulnerabilities in Firefox versions prior to 1.0.2 is in circulation.