• Chart: Dec. 2005 Security Communications Summary

Dec. 2005's "Patch Tuesday" included a critical patch for a vulnerability in Windows and Internet Explorer (IE) for which a public exploit is already circulating and an important patch for Windows 2000 SP4. The latest security updates also address problems with the First4Internet copy-protection software distributed on some Sony-BMG audio CDs, which altered Windows to prevent the software from being detected and could be used by malicious software to evade detection.

A Critical and Important Patch

The cumulative critical patch for Windows and IE released in Dec. 2005 fixed a number of vulnerabilities in Windows, including the following:

• A flaw in how IE displays file download dialog boxes and accepts user input during interaction with a Web page
• IE behavior when using a Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) proxy server and Basic authentication, which could allow an attacker to read Web addresses in clear text
• IE instantiation of COM objects that are not intended to be instantiated in a browser
• Potential memory corruption caused by mismatched Document Object Model (DOM) objects in IE, such as when IE displays a Web page that contains an onLoad event that points to a Windows object.

In the worst case, these vulnerabilities could allow an attacker to take complete control of a system. Customers will want to deploy this update as quickly as possible, because at least one exploit for the mismatched DOM objects vulnerability is circulating publicly.

In addition, this cumulative security update sets the kill bit, a mechanism Microsoft recently implemented to stop the First4Internet XCP uninstallation ActiveX control from loading. This ActiveX control, which later was found to contain a vulnerability, was distributed by Sony to uninstall the First4Internet copy-protection rootkit—software that hides itself to evade detection and that could be used by malicious software.

A vulnerability rated as "important" in Windows 2000 SP4 concerns the method used to process items in the asynchronous procedure call (APC) queue list—a function that executes asynchronously in the context of a particular thread. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Three important nonsecurity updates will also be released in December. The first, available from Microsoft Update, will update the junk e-mail filter in Microsoft Office Outlook 2003 with a more current definition of what constitutes junk e-mail. The other two, which will be available from both Microsoft Update and Windows Update, address security issues with Window's Automatic Update service and a problem with System Restore Points on Windows XP.

The Malicious Software Removal Tool was updated to detect and remove three more pieces of malware: RCBot, F4IRootkit (the First4Internet copy-protection rootkit), and Rynkos (a Trojan that exploits the F4IRootkit).

Microsoft also provided a Knowledge Base article with workarounds for a problem with synchronizing Software Update Services (SUS) 1.0 SP1 Servers with Windows Update after December 12, 2005. This problem may cause previously approved updates to be unapproved, with their status appearing as "updated."

Additional Products Gain Common Criteria

Microsoft also announced in Dec. 2005 that the following products had achieved Common Criteria (CC) EAL4 security certification:

• Windows Server 2003, Standard Edition SP1 (32-bit)
• Windows Server 2003, Enterprise and Datacenter Editions SP1 (32-bit and 64-bit versions)
• Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
• Windows XP, Professional and Embedded Editions SP2
• Exchange Server 2003
• ISA Server 2004

These criteria are also known as the International Organisation for Standardisation (ISO) Evaluation Criteria for Information Technology Security (ISO 15408) and are the result of collaboration between national security and standards organizations from Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. Customers should not read too much into such a certification, as applying the criteria against how a given organization specifically configures and administers Windows is not easy.

In the United States, the supporting agencies are the National Institute for Standards and Technology and the National Security Agency, and the CC reflects criteria from both the Federal Criteria for Information Technology Security version 1.0 and the Trusted Computer System Evaluation Criteria (TCSEC or "Orange Book").

The EAL4 evaluation means that the product being evaluated was methodically designed, tested for vulnerabilities, and reviewed to ensure that it can be configured securely.

Resources

Information about updates released in Dec. 2005 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

The KB article with the SUS workaround is at support.microsoft.com/kb/912307.

A white paper on the Common Criteria certification is available at www.microsoft.com/technet/security/prodtech/windowsserver2003/ccc/cccwp.mspx.