Print
Close Window
From: www.itworld.com
Microsoft issues patch to crush 20 bugs
October 15, 2008 —
Microsoft on Tuesday patched 20 vulnerabilities, more than half of them rated critical, in 11 separate security updates for Windows, Office, Internet Explorer (IE), Active Directory and the Host Integration Server.
Also for the first time, the company predicted the likelihood that hackers would come up with exploits for each bug.
"The count's big," said Andrew Storms , director of security operations at nCircle Network Security Inc. Eleven of the 20 flaws were rated "critical," the top ranking in Microsoft's four-level threat scoring system, while eight were pegged as "important," the next step down, and one was listed as only "moderate." Tuesday's update was the largest since August, when Microsoft issued 26 patches in 12 bulletins.
Storms identified two general themes in the latest round of patches. "First, there's still a pervasiveness of client application updates that doesn't seem to be diminishing at all, and second, Microsoft's newer software is still less vulnerable than its older."
On the first point, Storms ticked off updates that addressed three critical vulnerabilities in Excel and six critical bugs in IE , while for the second he listed several security bulletins that tagged Windows 2000 or older editions of Office as vulnerable, but gave newer versions of its operating system or applications either a pass or lowered the threat for users.
"Today's patches really continue to hammer the idea that the newer [Microsoft] software is more secure," said Storms. "If there was ever a reason to update to newer software, this is it. There's no reason not to update, for example, to IE7."
Storms highlighted two other updates that he thought should receive special attention, particularly by enterprise IT professionals. One, spelled out in MS08-060 , affects Active Directory, while the other, MS08-059 , affects Host Integration Server (HIS), a little-known corporate product that connects Windows-based networks to IBM mainframe and AS/400 systems. Microsoft marked both bulletins as critical.
"The attack surface is low for MS08-059, but the potential impact is high because HIS interacts with the critical back-office infrastructure that can't be down," said Storms. Tuesday's patch was the first ever for HIS, a fact that didn't escape Storms. "Now there's an update that will affect administrators who probably wanted nothing to do with Microsoft," he said.
"And there will be a lot of discussion about the Active Directory vulnerability as well as the SMB bug , mainly because these are remote exploits," Storms said. "They're in the classic style, where just some data packets can compromise systems. For that reason, I think they will garner a fair amount of respect, and researchers will probably exploit that."
Microsoft also used Tuesday's updates to launch its "Exploitability Index," a new effort announced in August . The index, which can be found in October's summary , lists each vulnerability along with the company's exploit rating. Microsoft settled on a three-step system that, in descending order of severity, predicts that researchers or hackers will come up with a consistently working exploit, develop an exploit that works only some of the time, or fail to craft attack code at all.
The inaugural index pegged eight of the month's 20 vulnerabilities with "Consistent exploit code likely" label, seven with the "Inconsistent exploit code likely" tag and four with "Functioning exploit code unlikely."
One of the bugs in the six-patch IE collection was not given a rating because exploit code is already out in the wild. The vulnerability had gone public nearly four months ago, and could have been used by identity thieves to launch cross-site scripting attacks. Microsoft, however, claimed it has no evidence that the bug had actually been exploited.
Microsoft said its predictions were for a limited period, rather than open-ended. "The Exploitability Index makes an assessment on the likelihood that code will be released that exploits the vulnerability or vulnerabilities addressed in a security bulletin within the first 30 days after that bulletin's release," said a Microsoft spokesman, who quoted a technical description of the index posted on the company's site.
"I think they put together a pretty good and consistent view into the future, based on the data they had," said Storms. He saw the new information as far more important to corporate security professionals than to consumers. "But while they have a new data set [with the index], it doesn't mean that the enterprise can do less work," he cautioned.
Previously, Microsoft said that it expects customers to add the exploitability predictions to the already available threat rankings to fine-tune how they prioritize patching.
Storms also noted that another initiative announced in August, the Microsoft Active Protections Program, which gives select security vendors an early look at technical details of vulnerabilities before patches are posted, provides a way for outside researchers to toss in their two cents. "We now have a conduit to give a difference of opinion on exploitability," he said.
nCircle is one of the security vendors that has been accepted into the MAPP.
For the fourth time in the last six months, Microsoft also set the "kill bits" of several third-party ActiveX controls in a separate update that it described in detail in a new security advisory . The last time that Microsoft disabled other vendors' ActiveX controls was in August, when it shut down buggy software from Hewlett-Packard Co. and a Washington state developer. Microsoft will only set kill bits when the ActiveX control's developer asks the company to do so.
Microsoft disabled ActiveX controls crafted by Microgaming, Husdawg LLC and PhotoStockPlus.com Tuesday. Each company has also posted its own security advisory to provide more information on why its control needs to be shut down.
This month's 11 security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Computerworld