• Chart: Oct. 2004 Update Summary

Updates for seven critical and three important vulnerabilities, as well as additional information and a new vulnerability-detection and update installation tool for the GDI+ vulnerability, were included in Microsoft’s Oct. 2004 monthly security posting. Administrators need to analyze the monthly posting carefully to determine the full extent of an organization’s risk, because once again the monthly update includes cumulative updates for both Windows and Internet Explorer (IE) that patch multiple problems. Microsoft also acknowledged a newly reported vulnerability in ASP.NET for which a workaround is available. (For a chart summarizing these updates, see "Oct. 2004 Update Summary".)

New Tool and Guidance for GDI+

Perhaps as important as the information about new updates is the release of an enterprise detection and update tool for the GDI+ vulnerability discovered in Sept. 2004. The GDI+ vulnerability affected many Microsoft and third-party products that redistributed the vulnerable component, making it particularly difficult to find all the instances that needed patching. (For more information on the GDI+ Vulnerability, see "Graphics Files Pose Threat" on page 17 of the Oct. 2004 Update.)

The original GDI+ detection tool was intended for consumers, and now Microsoft has posted two versions of a new detection tool designed for organizations. One version is for organizations that want to scan computers for the required MS04-028 security updates and then apply any missing updates from a network share. This version can be run from a startup or log-on script or by a user with local administrator rights. A second version of the tool is available for organizations that use Microsoft Systems Management Server (SMS).

This tool should be more useful for administrators than the detection tool initially released because it can be used to check networked computers and apply the patches. Microsoft has provided extensive documentation for the new tool versions; however, the instructions for configuring and running the new tool and interpreting the results are still complex. Microsoft is providing free support for administrators having problems with the tool, and administrators and developers will also find the amended guidance on the GDI+ vulnerability useful for determining whether third-party applications include the vulnerable GDI+ code.

Bulletin Rollups and Functionality Changes

Continuing a trend begun with the Aug. 2004 updates, two of the Oct. 2004 bulletins are cumulative rollups of fixes for multiple new vulnerabilities. The cumulative patch for IE addresses eight problems with IE versions 5.01, 5.5, and 6.0, including one with Cascading Style Sheets (CSS). Two fixes target address bar spoofing. The cumulative patch for Windows also rolls up four vulnerabilities, including one in the Windows kernel and another in graphics rendering.

To improve the overall security of the system, some updates will change the behavior of the patched component. For example, the update for a problem with WebDAV, an industry-standard extension to the Hypertext Transfer Protocol (HTTP) that is used for remotely managing Website content, requires that new limits be applied to the XML documents that WebDAV will accept.

Pending ASP.NET Update

Microsoft also acknowledged a vulnerability in ASP.NET running on Windows 2000 Professional and Server, Windows XP Professional, and Windows Server 2003 that could allow an attacker to bypass forms-based authentication or Windows authorization, potentially enabling the attacker to view secure content without providing the proper credentials.

While Microsoft is working on an update, it has released an HTTP module that Web site administrators can apply to their Web server to protect all ASP.NET applications on the server against this problem. As Microsoft continues to investigate this report, it will develop and test a patch for ASP.NET.

Resources

Technical bulletins for the Oct. 2004 vulnerabilities are at www.microsoft.com/technet/security/bulletin/ms04-oct.mspx.

To get the updates or an overview of the Oct. 2004 Windows vulnerabilities, see www.microsoft.com/security/bulletins/200410_windows.mspx.

The new GDI+ detection tool for organizations that do not use Microsoft Systems Management Server (SMS) can be found at support.microsoft.com/?kbid=886988. The version for organizations that use SMS can be found at support.microsoft.com/kb/885920.

Updated information for administrators and developers on whether third-party software includes the vulnerable GDI+ code is at msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/gdiplus10security.asp.

Additional information on the newly reported ASP.NET vulnerability, including workarounds until a patch is available, is at www.microsoft.com/security/incident/aspnet.mspx.