• Chart: July 2006 Security Communications Summary

Seven patches—five critical, and two important—were released on the July 2006 "Patch Tuesday" to address a large number of vulnerabilities in Windows and Office, including some vulnerabilities with Office documents for which limited attacks were already occurring. Meanwhile, Microsoft's decision to use Windows Update to distribute a prerelease version of its Windows Genuine Advantage Notifications software as a high-priority update is still causing customer concern, including the filing of lawsuits alleging that the software is spyware.

Critical Patches

Two critical patches were released to address problems with Windows that could allow an attacker to take full control of a Windows-based computer. The first involves the manner in which Dynamic Host Configuration Protocol (DHCP) clients request information from a DHCP server, and the second affects the Windows Server service, which, in conjunction with the Server Messenger Block (SMB) protocol, allows Windows users to share files and folders with other users. (Note that the Windows Server service is a feature of both Windows client and Windows Server editions.)

Three critical patches for Office address 12 vulnerabilities in Office documents that could allow an attacker to execute code in the context or at the same authorization level as the user. As most users of Windows run with an administrator-level context, this means the attacker effectively can gain complete control of the vulnerable system.

The three Office patches could be the most important for users to apply as soon as possible as there are already publicly disclosed exploits and reports of limited attacks.

Microsoft revised security bulletin MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution, originally released in June 2005. The re-released bulletin and update address a problem with dial-up connections that use a terminal window or dial-up scripting, and a second problem that involves using scripts to change device configuration parameters such as parity checking or stop bits. Only customers who have yet to deploy MS06-025, or who applied the original update and experienced the problems, should apply the revised version.

The July Patch Tuesday also saw the release of four high-priority nonsecurity updates, including the monthly update for the Outlook 2003 Junk E-mail Filter. The other updates include file awareness updates for PowerPoint and Word, which support the compatibility pack that allows users to exchange documents between Office releases, and an update to the HTTP.sys component, which improves the reliability of the Hypertext Transfer Protocol (HTTP) redirector on Windows XP by repairing a problem by which users with certain network adapter drivers and certain host firewall software received a critical stop or blue screen.

Finally, as in past months, Microsoft also used the July Patch Tuesday to update its Malicious Software Removal Tool (MSRT) to detect and remove four more pieces of malicious software: Win32/Alemod, Win32/Chir, Win32/Hupigon, and Win32/Nsag.

AutoUpdate and Genuine Windows

July saw continued fallout from the expanded pilot of the Windows Genuine Advantage (WGA) program. WGA uses software to detect counterfeit or unlicensed copies of Windows and, if detected, reminds customers to buy a properly licensed version. Controversy arose when Microsoft decided to release WGA components through Windows Update as a high-priority update.

Two lawsuits were filed against Microsoft claiming that the WGA software is spyware. Although definitions vary, spyware is broadly defined as software that the user does not want, that installs on a user's computer without the explicit consent of the user, and that sends information about the user back to the spyware publisher without the user's knowledge or consent—conditions that some would argue the WGA software meets.

There are also reports of a worm circulating that masks itself as the WGA software in order to trick users into installing it. Once installed, the worm disables the user's firewall and leaves the computer vulnerable to external control.

Microsoft has a right to defend itself against piracy. However, by labeling the WGA update as critical and then using Windows Update to distribute it in prerelease form, Microsoft potentially undermines customer security and PC reliability. If customers lose faith in Windows Update as being a safe mechanism for automatically downloading and installing critical security and reliability updates, more machines will remain vulnerable to exploits, affecting the safety and reliability for all Windows users.

More generally, Microsoft's WGA response could damage trust in the company and its business practices—its "business integrity"—which, along with security, reliability, and privacy, has formed the basis of the Trustworthy Computing initiative, Microsoft's long-term effort to expand the computer market by enhancing trust in computer systems.

Resources

Information about updates released in July 2006 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

For more information on WGA, see "Genuine Windows Pilot Expanding" on page 11 of the Dec. 2004 Update.