• Chart: Sept. 2006 Security Communications Summary

Three patches—one critical, one important, and one moderate—were released on the Sept. 2006 "Patch Tuesday" to address vulnerabilities in Windows and Office. In addition, Microsoft rereleased two critical patches from last month's Patch Tuesday, one of which is now on its third version in a month. This month Microsoft also worked to close a hole in its copy-protection mechanism for digital audio and video.

Critical Patches

The critical patch fixes a vulnerability in the way Microsoft Publisher, a product sold in some editions of Office and on a stand-alone basis, opens .PUB files (which store Publisher data). A malformed .PUB file could corrupt system memory in such a way that an attacker could execute arbitrary code and take full control of the computer. A side effect of the update for Publisher 2000 or Publisher 2002 is that users will not be able to open Publisher 2.0 files anymore.

The important update fixes a vulnerability in a network protocol called Pragmatic General Multicast (PGM)—a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is used by the Microsoft Message Queuing Service, among others. An exploit for this vulnerability would allow a user to run programs in the LocalSystem security context, which has full administrative privileges.

Update Quality Problems

September's Patch Tuesday also saw Microsoft reissue two patches originally released the previous month. The first updated patch is the MS06-42 Cumulative Update for Internet Explorer patch, which is now on its third version in less than a month; the other is the MS06-40 Vulnerability in Server Service Could Allow Remote Code Execution patch, which is now on a second version. The fact that two patches have required updating—including one patch already requiring two additional versions in a month—may indicate either that Microsoft is trying to patch too many vulnerabilities in a single patch or is not able to test all the changes prior to having to release the patch owing to publicly circulating vulnerabilities. In either case, customers will have to watch that this is not a trend toward additional patch-release problems in the future.

Security Advisories, Other Updates

Two security advisories were also issued on September's Patch Tuesday. The first does not address a security problem but rather a bug in which some "minifilter"-based applications could cause the following Microsoft software update services to stop running: Automatic Update, Windows Update, Microsoft Update, the Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS) 2003, Software Update Services (SUS) 1.0, and Windows Server Update Services (WSUS) 2.0.

The only known minifilter-based application to cause this problem is the File Server Resource Manager (FSRM), and it is only available in Windows Server 2003 R2.

The second advisory alerts customers that Adobe has released an update that addresses a publicly known vulnerability in versions of the Macromedia Flash Player that are redistributed with Microsoft Windows XP SP1 and SP2.

The Sept. Patch Tuesday also saw the release of three high-priority nonsecurity updates: one for Windows, one for Windows XP, and the monthly update for the Outlook 2003 Junk E-mail Filter.

Finally, as in past months, Microsoft also used the Sept. Patch Tuesday to update its Malicious Software Removal Tool to detect and remove two more pieces of malicious software: Win32/Bancos and Win32/Sinowal.

Windows Media DRM Circumvention

In September, Microsoft released an update for problems that allowed users to bypass Windows Media Digital Rights Management (DRM). Windows Media DRM is a technology that allows the creators or distributors of a Windows Media audio or video file to define what end-users may do with it. For example, a record company may use Windows Media DRM to prevent users from copying a downloaded song to more than one computer or to render that song unplayable after a certain time period unless the user pays a subscription fee.

The update followed shortly after tools for exploiting the Windows Media DRM problem were discussed publicly, The quick release following the public debate created the appearance that Microsoft released the DRM update on a faster schedule than it typically releases security patches. Microsoft says, however, that it was aware of the problem in Aug. 2006 and had been working on the update since then. The company does acknowledge that it treats attempts to circumvent or crack DRM software differently from security vulnerabilities. This is not likely to be the last circumvention and subsequent update, as DRM is becoming increasingly important to Microsoft and digital content owners.

Resources

Information about updates released in Sept. 2006 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

For more information on the Adobe Security Bulletin mentioned in the Microsoft advisory, see www.adobe.com/go/apsb06-11.