Stinkysteve
07-14-2004, 12:03 PM
Story here:
http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=23900628
Microsoft's Patch Count Climbs For July
By Gregg Keizer, TechWeb News
Although the last two months have seen relatively small parades of Microsoft patches, on Tuesday the Redmond, Wash.-based developer released seven security bulletins, two of which it rated "Critical," the company's highest warning.
Missing from the long list, however, are the permanent patches or updates to Internet Explorer that Microsoft has been promising users hit by an increasing number of bugs in that browser.
The first of the bulletins ranked as Critical is dubbed MS04-022, http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx and involves Windows NT, 2000, and XP. A flaw exists in the Task Scheduler, Windows' scheduling agent for running programs or scripts at pre-defined times. The scheduler can be hacked to create a buffer overflow, which would then give an attacker full access to the system, letting him delete files or steal confidential information.
But while Microsoft rated it as Critical, it also said that some user interaction is necessary for an exploit to succeed. A Web-based attack, for instance, would require that the victim be enticed to a malicious site, perhaps by putting a link within an e-mail message.
Security firm Symantec views this vulnerability as the most dangerous of July's bunch, but not for the same reasons as Microsoft. "Even though the scenario Microsoft poses is a Web-based attack, we're looking at it as very wormable," said Vincent Weafer, the senior director of Symantec's security response team. "In other words, we think there's potential to roll an exploit of this vulnerability into an automated worm that wouldn't require user help."
No such worm yet exists, cautioned Weafer, but of the vulnerabilities disclosed Tuesday, this is the one he's betting on being exploited by hackers.
Not all analysts agree. McAfee's Vincent Gullotto, the vice president of its research team, thought that Microsoft over reacted by tagging this vulnerability with the highest-possible rank. "I don't understand Microsoft's thinking on this," Gullotto said. "It requires user interaction, and from our point of view, vulnerabilities that don't require any help from the user are the most dangerous."
Instead, Gullotto named MS04-021 http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx , MS04-024, and MS04-023 as McAfee's three most wanted.
MS04-021 affects Windows NT 4.0, and stems from a bug in Internet Information Services 4.0, the Web server component of the aging OS. IIS 4.0's redirection feature -- which administrators can use to send page requests to the company's site to more than one server -- can be exploited to gain complete control of the system. No user intervention is needed, which is why Gullotto put it high on his list. Microsoft, however, rated it as "Important," one step below Critical.
IIS 4.0's vulnerability is not the one exploited by a widespread infection in late June of Web servers running IIS; that attack was ultimately pegged as a problem with IIS 5.0. How those servers were infected is still a mystery to investigators.
MS04-024, http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx also ranked as "Important," impacts more systems -- those running Windows NT, 2000, XP, and Server 2003 -- but requires user intervention and assumes that the hacker has logged on with administrator privileges. By taking advantage of a flaw in how Windows Shell launches applications, a hacker could take full control of the machine. Microsoft said the likeliest attack would come from via e-mail with links to a malicious site.
The reason why Gullotto put this vulnerability at the top of his list is that proof of concept code has been published (and publicized) by hackers. "Whenever proof of concept code is available, users should keep an eye on a vulnerability a little bit more," he advised. "It's what we call the 'ease factor.' Once proof of concept code is published, it's a lot easier for attackers to create something malicious."
http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=23900628
Microsoft's Patch Count Climbs For July
By Gregg Keizer, TechWeb News
Although the last two months have seen relatively small parades of Microsoft patches, on Tuesday the Redmond, Wash.-based developer released seven security bulletins, two of which it rated "Critical," the company's highest warning.
Missing from the long list, however, are the permanent patches or updates to Internet Explorer that Microsoft has been promising users hit by an increasing number of bugs in that browser.
The first of the bulletins ranked as Critical is dubbed MS04-022, http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx and involves Windows NT, 2000, and XP. A flaw exists in the Task Scheduler, Windows' scheduling agent for running programs or scripts at pre-defined times. The scheduler can be hacked to create a buffer overflow, which would then give an attacker full access to the system, letting him delete files or steal confidential information.
But while Microsoft rated it as Critical, it also said that some user interaction is necessary for an exploit to succeed. A Web-based attack, for instance, would require that the victim be enticed to a malicious site, perhaps by putting a link within an e-mail message.
Security firm Symantec views this vulnerability as the most dangerous of July's bunch, but not for the same reasons as Microsoft. "Even though the scenario Microsoft poses is a Web-based attack, we're looking at it as very wormable," said Vincent Weafer, the senior director of Symantec's security response team. "In other words, we think there's potential to roll an exploit of this vulnerability into an automated worm that wouldn't require user help."
No such worm yet exists, cautioned Weafer, but of the vulnerabilities disclosed Tuesday, this is the one he's betting on being exploited by hackers.
Not all analysts agree. McAfee's Vincent Gullotto, the vice president of its research team, thought that Microsoft over reacted by tagging this vulnerability with the highest-possible rank. "I don't understand Microsoft's thinking on this," Gullotto said. "It requires user interaction, and from our point of view, vulnerabilities that don't require any help from the user are the most dangerous."
Instead, Gullotto named MS04-021 http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx , MS04-024, and MS04-023 as McAfee's three most wanted.
MS04-021 affects Windows NT 4.0, and stems from a bug in Internet Information Services 4.0, the Web server component of the aging OS. IIS 4.0's redirection feature -- which administrators can use to send page requests to the company's site to more than one server -- can be exploited to gain complete control of the system. No user intervention is needed, which is why Gullotto put it high on his list. Microsoft, however, rated it as "Important," one step below Critical.
IIS 4.0's vulnerability is not the one exploited by a widespread infection in late June of Web servers running IIS; that attack was ultimately pegged as a problem with IIS 5.0. How those servers were infected is still a mystery to investigators.
MS04-024, http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx also ranked as "Important," impacts more systems -- those running Windows NT, 2000, XP, and Server 2003 -- but requires user intervention and assumes that the hacker has logged on with administrator privileges. By taking advantage of a flaw in how Windows Shell launches applications, a hacker could take full control of the machine. Microsoft said the likeliest attack would come from via e-mail with links to a malicious site.
The reason why Gullotto put this vulnerability at the top of his list is that proof of concept code has been published (and publicized) by hackers. "Whenever proof of concept code is available, users should keep an eye on a vulnerability a little bit more," he advised. "It's what we call the 'ease factor.' Once proof of concept code is published, it's a lot easier for attackers to create something malicious."