• Chart: Dec. 2004 Update Summary

Responding to exploits that were beginning to circulate for recently reported vulnerabilities in Internet Explorer (IE), Microsoft released a critical update prior to its Dec. 14, 2004, "Patch Tuesday." The critical patch was followed on Patch Tuesday by five important updates and a reissued bulletin for the GDI+ vulnerability reported in Oct. 2004. Customers will need to carefully review the bulletins to determine which patches they need to apply to their systems. (For additional information about these patches, see the chart "Dec. 2004 Update Summary".)

The critical IE patch fixes a buffer overflow problem in the code that processes HTML elements such as FRAME, an independent, scrollable region within the IE window, and IFRAME, which gives Web authors additional control over the display of information in a frame. An attacker could exploit these vulnerabilities through a Web page or an HTML-based e-mail to get control of remote computers.

Because exploits for this vulnerability were beginning to circulate on the Internet, Microsoft released the patch when it was ready, rather than holding it until the second Tuesday of the month, its typical patch release day.

The important patches released as part of the normal Dec. 2004 release also dealt with vulnerabilities that could allow an attacker to take control of an affected computer, but were rated "important" rather than "critical" because they are harder to exploit. The important patches involved the following technologies:

• WordPad, which allows users to create and edit text documents with formatting and graphics
• Dynamic Host Configuration Protocol (DHCP), which is used to assign IP addresses on a network
• HyperTerminal, which is used to connect to other computers using terminal emulation
• Local Security Authority Subsystem Service (LSASS), which provides an interface for managing local security, domain authentication, and Active Directory service processes
• Windows Internet Naming Service (WINS), which maps IP addresses to NetBIOS computer names and vice versa, allowing individuals to locate resources by their computer name rather than by their IP address.

In addition, one update repairs a vulnerability in the way that the Windows kernel launches applications.

Microsoft also revised the security bulletin it released in Oct. 2004 for the GDI+ vulnerability in Windows, Office, and graphics applications from third-parties who redistribute the GDI+ component with their application. The revised bulletin has updated information on the vulnerability with Microsoft Visual FoxPro 8.0 and the Microsoft .NET Framework.

On Dec. 16, two days after the scheduled monthly release of critical and important security updates, Microsoft released an additional critical update to Windows XP SP2 through Windows Update. The update fixes a problem created by some dial-up software configuring routing tables in a manner that caused the Windows Firewall to reveal shared drives on the Internet. Microsoft says it did not need to provide a security bulletin or release it with the other critical updates as part of the monthly security release because the fix was for a design flaw rather than a bug. But administrators are unlikely to appreciate this fine distinction and would benefit from a consistent definition of "critical" between the security, Windows Update, and other Microsoft product teams, and release of all critical patches as part of the same monthly process.

Information from Microsoft on the updates released in Dec. 2004 can be found at www.microsoft.com/security/bulletins/200412_windows.mspx.

Background on the GDI+ vulnerability can be found in the article "Graphics Files Pose Threat" on page 17 of the Oct. 2004 Update and "GDI+ Tool in Oct. Security Updates" on page 12 of the Nov. 2004 Update.