Microsoft Corp. issued its first security patches of the new year Tuesday, warning users about a critical vulnerability in a component of the Microsoft Internet Security and Acceleration (ISA) Server used to control IP (Internet protocol) telephony traffic.
Three bulletins, MS04-001 through MS04-003 were posted on Microsoft's Web site Tuesday, including lower-priority patches for Exchange Server 2003 and the Microsoft Data Access Components (MDAC), which is used by certain versions of Windows and Microsoft SQL Server.
H.323 is a protocol that is used by IP telephony applications to send audio and video over IP networks. A buffer overflow in a filter for the H.323 data packets, which is part of ISA Server 2000, could enable a malicious hacker to run their own code on vulnerable servers, which would potentially grant them total control over the system. Attackers would have to send a special H.323 packet that was designed to trigger the overflow, Microsoft said.
Microsoft was just one of many companies that issued warnings about the H.323 vulnerability on Tuesday. Cisco Systems Inc. also issued software patches for versions of the Internetwork Operating System (IOS) that contain the vulnerability. (See http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.)
Attackers would not necessarily have to be using voice over IP to trigger the security hole, as long as the vulnerable service was enabled and listening for incoming H.323 traffic, said Craig Schmugar, virus research manager at Network Associates Inc.
"It's not like (attackers) have to punch a bunch of funny numbers into a phone to exploit this," he said.
Also patched on Tuesday was a buffer overrun in a number of versions of MDAC, which support database operations in Windows and SQL Server.
Attackers who successfully trigger the security hole, which Microsoft rated "important," could potentially elevate their level of permission on the vulnerable system to the same level as the user running the application that uses MDAC, Microsoft said. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winjan04.asp.)
A third security patch for Exchange Server 2003 was rated "moderate" and fixes a flaw that could allow Outlook Web Access users to view the contents of other e-mail boxes on the Exchange server, Microsoft said. To take advantage of the security hole, attackers would need a valid Exchange 2003 account. Also, attackers would not be able to select which e-mail box they view, the company said. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/excjan04.asp.)
The releases continue Microsoft's new policy of issuing monthly security updates for customers.
While there are no known exploits for any of the security holes Microsoft patched Tuesday, a fix for at least one actively exploited flaw in Internet Explorer was missing from the batch of patches, Schmugar said.
That vulnerability, commonly referred to as the "0x01 exploit" allows attackers to display a different Web address in Internet Explorer's Address field a from the actual location of the Web page that is being displayed. The problem is actively being exploited by online scam artists who use mock-ups of legitimate Web sites in so-called "phishing" scams to harvest online account and personal identification information, he said.
"It's hard to say why they haven't patched that yet. But as (the Internet Explorer exploit) becomes even hotter and is exploited more, I think you'll likely see a patch for that, also," Schmugar said.
Microsoft has reportedly patched the problem in Windows XP Service Pack 2 and may well be planning to use the release of that software upgrade to address the problem, said Thor Larholm of security company PivX Solutions LLC.