• Chart: Nov. 2005 Security Communications Summary

Nov. 2005's "Patch Tuesday" included only one critical patch, which was for vulnerabilities in the Windows graphics rendering engine. Microsoft also issued an advisory and several Knowledge Base (KB) articles to help a small number of customers who had problems with earlier updates, and a security advisory for Macromedia Flash, which is included with some Windows versions.

One Patch, Two Advisories

The critical patch released in Nov. 2005 fixed vulnerabilities in the Windows graphics rendering engine, including a buffer overflow that could allow a remote attacker to take complete control of an affected system. The vulnerabilities are rated critical, because any program that renders either 16-bit Windows Metafile (WMF) or 32-bit Enhanced Metafile (EMF) images could potentially be exploited on an unpatched version of Windows. While the bulletin identifies three vulnerabilities, a single patch corrects all three.

After the release of MS05-051 ("Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution") in Oct. 2005, Microsoft issued a Security Advisory to aid customers who had problems applying the update. Customers who changed the default Access Control List (ACL) for certain Windows directories experienced problems deploying the patch. KB article 909444 explains to those customers how to correct the problem. Microsoft also issued two other KB articles in Oct. 2005 (without Security Advisories) to help customers who had problems with the MS05-052 patch ("Cumulative Security Update for Internet Explorer"), which was also issued in October. The KB articles (909889 and 896738) address problems with custom ActiveX controls not loading as expected in Internet Explorer (IE) or from a Web page.

Microsoft also issued a security advisory to make customers aware of recent security vulnerabilities in the Macromedia Flash Player, a third-party software application that was redistributed with Windows XP SP1 and SP2, Windows 98 and 98 SE, and Windows Me. The main purpose of this advisory is to ensure that Microsoft customers are aware that the software included with Windows needs to be patched with the update that is available on the Macromedia Web site.

Three important nonsecurity updates will also be released in November, including one for Windows SharePoint Services and two for Office 2003.

The Malicious Software Removal Tool was updated to detect and remove the malicious Bugbear, Codbot, Mabutu, Opaserv, and Swen software.

DRM Software Breaks Windows

Also in Nov. 2005, there were reports that digital rights management (DRM) software designed by First 4 Internet and included on some Sony BMG audio CDs was installing itself in a manner that altered the OS to prevent the software from being detected and could be used by malicious software to evade detection. Furthermore, attempting to manually remove the software could make a CD-ROM drive unusable. Some OS experts went so far as to call the Sony-distributed software a "rootkit," which is software that typically installs so deeply into an OS that it can neither be detected nor safely removed. Many security experts consider rootkits to be malicious, regardless of their purpose or whether they present the user with an End User License Agreement (EULA). Shortly after the story broke, Sony stopped distributing the DRM software with new CDs.

A Microsoft spokesperson indicated that while their malicious software detection and removal tools did not initially detect the software in question, Microsoft will not allow partners to install software which destabilizes or breaks Windows. Microsoft also indicated that they would be updating the Windows Defender signature files as quickly as possible, and that the Malicious Software Removal Tool released with the Dec. 2005 updates on Patch Tuesday would be able to detect and remove this rootkit.

Resources

Information about updates released in Nov. 2005 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

The security advisory for the Oct. 2005 MS05-051 update can be found at www.microsoft.com/technet/security/advisory/909444.mspx.

The KB article with information about MS05-052 and ActiveX controls not displaying on Web pages is at support.microsoft.com/kb/909889.

The KB article with information about MS05-052 and ActiveX controls not displaying in IE is at support.microsoft.com/kb/909738.

The security advisory for the Macromedia Flash update can be found at www.microsoft.com/technet/security/advisory/910550.mspx.

Technical details on the apparent rootkit are available from the Web site of noted Windows expert Dr. Mark Russinovich: www.sysinternals.com/blog/.