[ISN] Microsoft Releases New Batch of Patches

InfoSec News isn at c4i.org
Wed Jul 14 01:50:07 EDT 2004


http://www.washingtonpost.com/wp-dyn/articles/A47383-2004Jul13.html

By Brian Krebs
washingtonpost.com Staff Writer
July 13, 2004

Microsoft Corp. today issued two "critical" software updates for its
Windows operating system, bringing to 12 the total number of critical
software fixes the company has released so far in 2004 and putting the
focus once again on the security of Microsoft's widely used Internet
Explorer Web browser.

The two patches deal with security holes in the Windows 2000 and
Windows XP operating systems. The first involves a flaw in "task
scheduler," a program that allows Windows users to run applications at
scheduled intervals. The other resides in Microsoft's built-in "HTML
Help" function, which offers tips on using Windows programs.

Stephen Toulouse, Microsoft's security program manager, said both
vulnerabilities could be exploited via Internet Explorer if hackers
can trick computer users into visiting a Web site designed to target
the security holes.

If left unpatched, Microsoft said computers running the vulnerable
Windows versions could be remotely controlled by hackers. Microsoft
rates security flaws as "critical" if they can be easily exploited,
such as by an Internet worm that can infect a computer without a user
having to click on an infected e-mail attachment or download a file
from the Internet.

Microsoft also released five other patches today, including a fix for
the software it makes to power Web sites. Rated by the company as
"important," the patch fixes a flaw that could allow hackers to seize
control over Web sites powered by Microsoft's Internet Information
Services (IIS) Web server version 4.

Last month, at least two separate attacks targeted hundreds of Web
sites powered by the IIS software. Those attacks leveraged a
combination of Internet Explorer and IIS flaws to surreptitiously
plant spyware on PCs. The spyware program was designed to steal
personal information like passwords and account numbers when an
infected computer was used to access one of several online banking
sites.

In a departure from its regular schedule of monthly patch releases,
Microsoft issued a fix to remedy that problem on July 2. But security
experts later demonstrated that the vulnerability could still be
targeted using a slightly different method; one of the patches
released today seeks to fix the original patch.

Experts say attacks that rely on tricking Internet Explorer users into
visiting certain Web sites are particularly dangerous because many
security systems protecting corporate Web sites are configured to
permit Web browsers to access files and upload information.

"When an attack is coming through the Web browser, at that point it's
pretty much already gotten past whatever security or firewalls you
have in place," said Marc Maiffret, a security expert at eEye Digital
Security in Aliso Viejo, Calif.

Vincent Weafer, senior director of Symantec Security Response, said
Web browser exploits are fast becoming a preferred attack method for
hackers because they're stealthy and can be targeted to an individual
user. Weafer said browser-based attacks are particularly appealing for
those interested in conducting Internet fraud scams or planting
spyware on PCs.

"Without a doubt, these are the types of attacks that we're going to
be seeing a lot more of for some time," Weafer said.

A total of seven patches were released by Microsoft today, along with
an automated tool that scans PCs for signs of infections from last
month's browser attack. The various patches are for Windows Server
2003, Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows
98.

All the patches can be accessed through www.microsoft.com/security.  
Microsoft also encourages Windows users to visit its Windows Update
site (windowsupdate.microsoft.com) and allow it to scan their
computers for needed software updates.





More information about the ISN mailing list