• Chart: Sept. and Oct. 2005 Security Communications Summary

Oct. 2005's "Patch Tuesday" included three critical and four important patches for vulnerabilities in Microsoft software. Customers need to deploy at least two of these patches as soon as possible: a cumulative patch for Internet Explorer (IE), announced in Sept. 2005 and then delayed for additional testing, already has publicly circulating exploits, and a critical patch for vulnerabilities in the Microsoft Distributed Transaction Coordinator and COM+ could be exploited by a worm similar to Zotob, which harmed a large number of unpatched systems in Aug. 2005.

October Patches

Three critical patches released in Oct. 2005 fix vulnerabilities in Windows, including the following:

• An unchecked buffer in DirectShow, which is used for streaming media on Windows and by applications including DVD players, video editors, video converters, MP3 players, and digital video capture
• An unchecked buffer in the Microsoft Distributed Transaction Coordinator (MSDTC) and a problem with the manner in which COM+ creates and uses memory structures
• A vulnerability caused by the way in which IE instantiates COM objects that were not originally intended to be used in the browser.

On unpatched systems, each of these critical vulnerabilities could allow an attacker to take complete control of a vulnerable computer. The cumulative patch for IE continues the patching of COM objects that began with the JView Profiler vulnerability, patched in July 2005 by using Registry entries called kill bits to prevent IE from loading COM objects that are not intended to be used from within a browser.

Four important patches were released in Oct. 2005 to fix vulnerabilities in Windows and Exchange, including the following:

• An unchecked buffer in the Microsoft Client Service for NetWare, a service that allows a client computer to access NetWare file, print, and directory services. (Both Microsoft and Novell provide a client for this purpose—Microsoft Client Service for NetWare and Novell Client for Microsoft Windows XP, respectively—but this vulnerability affects only the Microsoft client.)
• A weakness in the data validation process of Plug and Play, the mechanism Windows uses to detect new hardware installed on a system
• An unchecked buffer in the Collaboration Data Objects (CDO) e-mail access libraries for both Windows and Exchange
• Two problems with the way in which the Windows Shell handles certain properties of .lnk (shortcut) files, which are used to point to another file, such as a program, and the process that Windows Explorer uses to validate HTML characters in certain document fields when in Web View.

While these vulnerabilities could allow an attacker to take full control of a system, they are rated important only because of other factors that reduce the potential impact of an exploit. For example, the Microsoft Client Service for NetWare is not installed by default.

There were no new security advisories, and no important nonsecurity updates were released. Some of the bulletins do replace existing bulletins.

The Malicious Software Removal Tool was updated to detect and remove Win32/Mywife, Win32/Gibe, Win32/WUKill, and Win32/Antinny.

September Patches

Although Microsoft provided advance notice to customers that it would release an update on the Sept. 2005 Patch Tuesday, the company decided to delay the patch (which became MS05-052: Cumulative Security Update for Internet Explorer and was released in October) to complete additional testing to ensure the patch fixed the vulnerability without creating new problems. However, while Microsoft released no new security-related patches in September, it did release a new version of Update Rollup 1 for Windows 2000 SP4 and updated its Malicious Software Removal Tool.

The Patch Guidance Dilemma

To help customers plan and deploy patches in a timely manner, Microsoft has instituted a process of providing advance notice about the patches it will release each month, and restricting the release of patches to a single day—the second Tuesday of each month.

Because advance guidance is provided while the patch is still undergoing final testing, it is possible that after Microsoft provides advance notice, it will discover that the vulnerability is not completely fixed or will cause problems with other OS components or applications.

This is essentially what happened in September—although Microsoft had announced a patch would be released on September Patch Tuesday, by the scheduled release date Microsoft was not able to ensure that the patch would effectively fix the vulnerability without creating new problems.

September Updates and Changes

Although there were no new patches released on September's Patch Tuesday, Microsoft did re-release Update Rollup 1 for Windows 2000 SP4 to address problems experienced by a small subset of customers, such as customers who installed the update rollup on computers that have an older non-Plug-and-Play ISA, EISA, or Micro Channel Architecture SCSI controller. These customers have reported a blue-screen stop code when they restart the computer. Microsoft says these problems are isolated (few customers are reporting problems) and obscure (they require specific rare configurations).

The company also updated its Malicious Software Removal Tool to detect and remove the Bobax, Esbot, Gael, Yaha, and Zotob worms and Trojans.

Resources

Information about updates released in Oct. 2005 can be found at www.microsoft.com/technet/security/current.aspx.

Microsoft has acknowledged problems with the patch for COM+ and MSDTC (MS05-51), if the default permission settings for the COM+ catalog have been changed. For information on the problems and the workarounds, see support.microsoft.com/kb/909444.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

More information about kill bits can be found at support.microsoft.com/kb/240797.

Additional details on the update rollup can be found in "Update Rollup for Windows 2000 SP4" on page 14 of the Aug. 2005 Update.