Microsoft has released a flood of information on new and previously disclosed holes in a wide range of software products, many of them rated "critical" and, according to a security expert, well-suited to use by malicious hackers or virus writers.
The company has published four security bulletins: MS04-011, 012, 013, and 014, containing patches for 20 unique software vulnerabilities. Critical holes were found in the Internet Explorer Web browser; in a standard Windows component for managing local system security and authentication, the Microsoft Secure Sockets Layer library; and the Remote Procedure Call (RPC) Runtime Library, which comes with Windows, according to Microsoft.
The software patches touch a wide range of Microsoft's products, from Windows 98 through Windows Server 2003 64-bit edition, as well as a number of versions of the Outlook Express e-mail program.
Highlights of Holes
Among the most critical holes Microsoft is warning about is a buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), which is used to authenticate users locally and also in client-server environments. Some Active Directory utilities also access this service.
An attacker could exploit the vulnerability and remotely attack and take total control of Windows 2000 and Windows XP systems. The same vulnerability does not affect Windows 98 or NT, and is rated "low" for Windows Server 2003, meaning that it is extremely difficult to exploit or will have only minimal impact on the system if exploited, according to Microsoft.
The second critical vulnerability is a buffer overrun hole in the Private Communications Transport (PCT) protocol, part of Microsoft's Secure Sockets Layer library, which is used to secure communications between servers and clients on public networks and the Internet. Microsoft and Visa developed the protocol to conduct encrypted communication on the Internet, Microsoft says.
An attacker who could exploit the buffer overrun hole could take complete control of affected systems to install programs; view, modify, or delete data; or change user access to the system. Attackers could exploit the flaw by sending a Transmission Control Protocol (TCP) message to a vulnerable system. The message would have to be designed to cause the buffer overrun and run the attacker's code on the machine, the company says.
The protocol hole is rated "critical" for Windows NT 4.0 and Windows 2000, "important" for Windows XP, and "low" for Windows Server 2003, Microsoft says.
While Microsoft disclosed a number of other critical security holes in these and other recent bulletins, one security expert calls the LSASS and PCT holes particularly dangerous. They pose greatest risk because they can be triggered remotely and without any action being taken by users on affected systems, says Firas Raouf, chief operating officer of EEye Digital Security.
EEye researchers discovered the LSASS vulnerability and reported it to Microsoft, Raouf says.
The two holes can also be exploited using common techniques such as creating stack-based overflows. That will accelerate the development of exploits for the two vulnerabilities, which are well-suited to use in an Internet worm like the Blaster or Slammer worms, he says.
"The window of opportunity to remediate these is small. It's likely that someone will repackage existing worms to attack the new vulnerabilities, so [Microsoft customers] need to patch their systems in the next couple days," he says.
Microsoft has also issued a revised cumulative patch, MS04-013, for recent versions of the Outlook Express e-mail client, which ships with most versions of Windows.
The bulletin also lists a critical new problem with the way Outlook Express interprets a kind of URL known as a MIME Encapsulation of Aggregate HTML, or MHTML. The vulnerability could allow an attacker to run their own HTML code on Windows systems using an affected Outlook Express client.
MHTML allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer Web browser. To trigger the flaw, attackers would have to create a specially crafted MHTML URL, which use the prefix MHTML://. Attackers could launch an attack by tricking users into visiting a Web page containing the nefarious MHTML:// link or sending an HTML e-mail message with such a link in it, Microsoft said.
Fast Fixes Urged
Several security companies, including Network Associates, Computer Associates, EEye, and Internet Security Systems have issued statements warning customers about the newly disclosed vulnerabilities. Some, such as Network Associates, are offering filters to detect and guard against malicious traffic trying to exploit the new holes.
Computer Associates is already seeing exploitation of the MHTML hole and says exploits for the other software vulnerabilities could follow.
"Since many of these issues are previously undisclosed, it may take a few days or weeks for attackers to develop exploit code and other forms of malware," says Sam Curry, vice president of ETrust Security Solutions, a Computer Associates division.
Microsoft's monthly, cumulative bulletins generally make it easier for customers to deploy the security patches, says EEye's Raouf. But he is critical of the company's handling of vulnerability information, including the LSASS hole, which EEye reported to Microsoft in October 2003.
"The downside [of the monthly bulletins] is that Microsoft is keeping critical vulnerabilities under wraps until enough can be put together, and that increases the likelihood that an unethical research firm will find the same flaw, not tell Microsoft about it, and unleash hell," he says.
Even when proper disclosure procedures are followed, the sheer number of new critical vulnerabilities will be a feast for virus writers.
"If somebody is looking to put together a worm in the next couple of days, they'll have a number of vulnerabilities to choose from," Raouf says.