Microsoft has issued five new critical security bulletins, offering patches for 14 vulnerabilities in Windows products, including one that could allow the much-derided Clippy software assistant to take full control of a PC on behalf of a bad guy.
The suite of patches also fix the recently disclosed zero-day animated cursor vulnerability, which is already being exploited in the wild, and vulnerabilities in the two-month-old Windows Vista.
The bulletins, numbered MS07-017 through MS07-021, each have something interesting to say, and security vendors were broadly split on which were the most important.
The most important patches to apply would be those in 017, which close the ANI cursor bug in Windows, due to the fact that it is already being exploited, according to Don Leatham, director of security solutions at PatchLink.
Microsoft had broken its monthly Patch Tuesday cycle, a rare occurrence, to deliver that patch last week, it was considered so urgent. It’s a potential zombification vulnerability that allows hackers to execute malware when users visit their web site or view their email.
Even though Microsoft released it early, some companies felt they would wait a week, said Leatham. Many already limit where their workers go on the web, and they have policies set up to make sure automatically previewing email in Outlook turned is off.
PatchLink and Symantec also agreed that 021 is pretty important. This one is in the Windows Client/Server Run-time Subsystem, a component of all the widely deployed Windows clients. Again, it comes in through Internet Explorer and can let the hacker own your box.
Symantec views these patches as critical because there is an increased potential for exploitation since these vulnerabilities affect multiple versions of Microsoft Windows, including Windows Vista, Vince Hwang, group product manager at Symantec said in a statement.
Clippy, the animated paper-clip universally deactivated moments after the installation of early versions of Office in the 1990s, comes into the picture in the 020 bulletin. At least, Clippy’s successor, Microsoft Agent, is vulnerable.
Microsoft Agent is a Windows component that uses interactive animated characters to guide users. It’s not in Office this time, it’s an ActiveX control in IE that can be activated by web sites.
This Agent control handles URLs badly, allowing attackers to execute the code of their choice on victim PCs. IE7 users are not affected, but Symantec rated this as the most critical of the vulnerabilities disclosed yesterday.
McAfee’s David Marcus, security research and communications manager, noted the CSRSS vulnerability in 021, and added bulletin 018 as one of its two of particular concern vulnerabilities.
The 018 bulletin affects the 2001 and 2002 versions of Microsoft Content Management Server. In terms of the potential threat, we’re talking network worms of the Slammer and Blaster ilk.
This is a server-side bug, another vendor, Shavlik, said in a statement. This means the server can be attacked without requiring any user intervention on the server itself. Any unpatched Content Management Server can be attacked remotely over port 80.
However, CMS is not as universally deployed as Windows, which substantially mitigates the threat. Also, nowadays malware writers are not so much concerned with emulating Blaster for hacker kudos as they are being stealthy in order to avoid detection and make some money.
Shavlik also named the remaining vulnerability bulletins, numbered MS07-019, as one of its top two. This vulnerability, in the Universal Plug n Play components of Windows, would also allow a network worm, but with one significant limitation.
It would only be able to replicate itself to machines on the same subnet. That will usually mean computers using IP addresses where only the last octet or two octets are different – in other words, 256 or 65,000 machines at most – according to PatchLink’s Leatham.
Clearly, the security industry cannot speak with one voice when it comes to deciding which of these vulnerabilities is the biggest cause for concern. The simple solution to that quandary is for users to simply apply all patches, as they probably should be anyway.