Microsoft Corp has released patches for more than 20 software vulnerabilities, most of them critical. Several of the vulnerabilities, in software such as Excel, Internet Explorer and Exchange, could enable mass automated worm attacks.
It’s the biggest chunk of patches released by Microsoft since it turned the second Tuesday of every month into Patch Tuesday a year ago. The latest patches are spread over 10 downloads, each related to a separate group of vulnerabilities.
Of the 10 bulletins, Microsoft rates seven of them critical, a rating it usually reserves for remote code execution vulnerabilities on widely deployed systems that could be used in a worm attack requiring little human intervention to spread.
Brian Mann, outbreak manager at McAfee Inc, said that he thinks bulletins MS04-035 and MS04-036, on vulnerabilities in the SMTP and NNTP components of Exchange 2003 and Windows Server 2003, describe the most dangerous problems.
It’s pretty easy to exploit, and once you’re in you own that system. Once you get into the gateway you can pretty much access anything, Mann said. Exchange is a particularly juicy target for spam-related attackers, he added.
Drew Copley, senior research engineer at eEye Digital Security Inc said he doubted the NNTP (network news transfer protocol) could be used to attack Usenet, as he believes most ISPs run Unix-based news servers.
Mann also pointed to a vulnerability, found by Copley and outlined in MS04-034, in how most of the latest Windows versions (except XP SP2) handle Zip-compressed files. This is particularly vulnerable to an email worm, he said.
It shouldn’t have much impact on the enterprise, because most people are doing some kind of management or filtering, but in the consumer space it could be much different, Mann said. Copley said an exploit could be written that would run when people simply clicked a link.
Copley said that it took Microsoft 71 days to patch the Zip problem after being notified, but another vulnerability, a less-severe privilege escalation problem in Windows, took the firm 408 days to issue a patch for, though it was stealth-patched in XP SP2.
They can do better than that in my opinion. Even when they are fast there are often variants out by the time the patch comes out, he said. I think that’s a very important criticism to make.
Software affected by the latest vulnerabilities includes most versions of Windows clients and servers, Exchange, Internet Explorer, and Office. Mac users should note that the Office vulnerability is also present in the Mac version.