• Chart: August 2005 Security Communications Summary

August 2005's "Patch Tuesday" included one important and three critical patches for vulnerabilities in Windows. In addition, Microsoft released a Knowledge Base (KB) article documenting problems with the recently released Update Rollup for Windows Server 2003 SP4 that will require Microsoft to reissue the rollup. There have been reports of new attack vectors in Windows Vista, the next version of the Windows client, which is currently in beta.

August Patches

Three critical patches released in Aug. 2005 fix vulnerabilities in Windows, including the following:

A cumulative patch for problems related to JPEG rendering, Web folder behavior, and COM object instantiation with Internet Explorer (IE)—this update is cumulative because the multiple vulnerabilities require modifications to related files

A patch for an unchecked buffer in the Plug-and-Play service (this service allows Windows to detect new hardware installed on a computer)

A patch for an unchecked buffer in the print spooler (this service loads when the OS starts and manages the printing process).

On unpatched systems, these critical vulnerabilities could allow an attacker to take full control of the vulnerable computer.

The cumulative patch for IE is similar to the JView Profiler vulnerability patched in July 2005, in that it uses Registry entries called kill bits to stop COM objects that are not intended to be used in IE from loading. Following up on the JView Profiler vulnerability, Microsoft reviewed all the COM objects it includes with Windows and found an additional 42 that could be instantiated from IE even though there was no reason to do so—but if these objects did get loaded, they could potentially be exploited. The patch contains kill bits for all 42 of these COM objects.

There were no new Security Advisories, but MS05-023 was reissued to include the Word viewer, and MS05-032 was updated with information about the x64 editions of Windows.

One nonsecurity update was also released. This update fixes a nonsecurity problem with the display of double-byte character set (DBCS) attachment filenames in Rich Text e-mail messages after installation of security update MS05-012, and some users may have to install the Windows Genuine Advantage validation tool. DBCS is a technique for representing languages with more than 256 characters (such as Chinese) without using Unicode.

The Malicious Software Removal Tool was updated to detect the Bagz, Dumaru, and Spyboter worms and Trojans.

Update Rollup Issues

In June 2005, just before Windows 2000 entered the Extended support phase of its life cycle, Microsoft released a large bundle of security and bug fixes for the OS. Customers do not have to deploy this bundle, which Microsoft has dubbed Update Rollup 1 for Windows 2000 SP4, to get support as the OS transitions from Mainstream to Extended support, but many will want to do so because it contains more than 50 critical and important fixes for security vulnerabilities and 400-plus other bug fixes.

After the release of the update rollup, Microsoft identified several problems that can occur when it is deployed. For example, some customers who installed the update rollup on computers that have an older non-Plug-and-Play ISA, EISA, or Micro Channel Architecture (MCA) SCSI controller have reported a blue screen stop code when they restart the computer. Microsoft says these problems are isolated (few customers are reporting problems) and obscure (they require specific rare configurations); therefore, they affect only a small number of customers. The known issues are currently documented in a KB article, and Microsoft will reissue the Update Rollup 1 for Windows 2000 SP4 to address these problems.

First Vista Vulnerability?

August also saw a report that Windows Vista was vulnerable to security exploits, via Microsoft's new scripting and shell environment, code-named Monad. In fact, while Windows Vista and Monad are both currently in beta testing, Monad is not part of Windows Vista. According to plans announced in early 2005, Monad will ship first with the next version of Exchange in late 2006 and then with Windows Longhorn Server in late 2007. Moreover, Monad is likely no more vulnerable than other scripting environments, most of which provide a way to execute code on an OS.

Resources

Information about updates released in Aug. 2005 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

More information about kill bits can be found at support.microsoft.com/kb/240797.

For background on the update rollup, see "Update Rollup for Windows 2000 SP4" on page 14 of the Aug. 2005 Update.

Issues related to the Update Rollup for Windows 2000 SP4 are documented at support.microsoft.com/kb/891861.