• Chart: Jan. 2006 Security Communications Summary

The first critical patch of 2006 arrived before "Patch Tuesday," when Microsoft released a critical patch for an already-exploited vulnerability in the Windows Metafile (WMF) image format. Patch Tuesday itself saw the release of critical patches for Windows, Outlook, and Exchange. Although it is not surprising that conditions would drive the release of a patch prior to the monthly patch-release date, this marks at least the second time Microsoft has patched the WMF image format, which raises questions about the thoroughness of Microsoft's code review process.

"Out-of-Band" Patch

In late Dec. 2005, attackers began to exploit a vulnerability in the way that the Windows graphics rendering engine handles WMF images. (WMF is a 16-bit format that can contain both vector and bitmap information.) These exploits could result in the attacker taking complete control of an affected system.

Microsoft started following its normal process for verifying the existence and scope of the vulnerability, publishing advisories and developing and testing a patch, which typically can take several months and results in the release of a patch on the scheduled patch-release day (the second Tuesday of the month). However, the presence of exploits for the vulnerability, as well as advice from some security experts to install a non-Microsoft patch, forced Microsoft to accelerate testing and release the patch when testing was completed rather than on the next scheduled Patch Tuesday.

Microsoft did accelerate its response process, acknowledging both the scope and extent of the vulnerability, but it also pointed out that patches must be thoroughly tested to ensure that they do not introduce additional vulnerabilities or break applications that rely on the patched component's functionality.

However, the vulnerability raises a question about Microsoft's security processes: why didn't Microsoft uncover this vulnerability during earlier code reviews of Windows—particularly during the complete code review of Windows in 2002, when Microsoft stopped all other work on Windows—or late in 2005 when it patched a buffer overflow affecting the Windows graphics rendering engine and WMF in Nov. 2005 (MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution)?

The quick succession of two vulnerabilities in the same component suggests it is no longer sufficient for Microsoft to patch a vulnerability in a component. Rather, a more complete review of any vulnerable component is necessary, because publishing patch information for a component suggests to attackers that the component was not adequately reviewed for vulnerabilities before, and it could be ripe for other attacks.

Other Critical Patches

Two other critical patches were released on the scheduled Jan. 2006 Patch Tuesday. They patch vulnerabilities in the following areas:

Embedded Web fonts. A flaw with embedded Web fonts in Windows can cause a memory corruption and allow an attacker to run code as the logged-on user. If the user is logged on as administrator, as most Windows users are, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Transport Neutral Encapsulation (TNEF). A flaw in the way that Outlook and Exchange decode messages that use the TNEF protocol (a commonly used protocol for sending a message from Exchange to a Microsoft e-mail client) could allow an attacker to take complete control of the affected system.

Because Exchange 5.0 and 5.5 are not supported by Microsoft Update or the Microsoft Baseline Security Analyzer (MBSA) version 2.0, customers using those versions of Exchange may have to use an older version of MBSA or the Systems Management Server (SMS) Update Inventory Tool to detect whether a system needs patching for the TNEF vulnerability.

Two important nonsecurity updates will also be released in January. The first is an update rollup for Exchange 2000 Server, and the second is an update for the Exchange 2003 antispam system, the Intelligent Message Filter.

The Malicious Software Removal Tool was updated to detect and remove three more pieces of malware: Win32/Parite, Win32/Maslan, and Win32/Bofra.

Other Security Improvements

Microsoft also announced three other minor improvements to its security processes and support:

Life cycle and patch-release synchronization. Microsoft has adjusted the end of support dates for all products to coincide with Patch Tuesday. The first product to which the new policy applies is Exchange Server 5.5. The public incident and security-related hotfix support for Exchange Server 5.5 was scheduled to end on Dec. 31, 2005, but this date was extended to Jan. 10, 2006, ensuring that the company would update Exchange 5.5 with the latest critical patches, including the TNEF patch. The patch itself will be supported on Exchange 5.5 until Jan. 31, 2006. (For more information about the change in the life cycle, see "Life Cycle Includes Last Patches".)

ISO image updates. Each month, Microsoft will release a cumulative CD image of all security and critical updates posted at Windows Update (rather than at Microsoft Update, which also includes Office and Windows Server updates). The image will assist customers who need multiple updates in multiple languages.

S/MIME communications. Security communications from Microsoft will be signed using Secure Multipurpose Internet Mail Extensions (S/MIME), rather than Pretty Good Privacy (PGP). S/MIME, like PGP, enables customers to ascertain that the security communication was sent by Microsoft and has not been tampered with. Because S/MIME is supported by default in Outlook and Outlook Express, it is easier for customers to use S/MIME to verify the message.

Resources

Information about updates released in Jan. 2005 can be found at www.microsoft.com/technet/security/current.aspx.

A description of the support date change is available at www.microsoft.com/presspass/features/2006/jan06/01-10Support.mspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

Information about the ISO-image updates can be found at support.microsoft.com/kb/913086.