Tuesday, October 9, 2007

October Patch Tuesday

Microsoft announced there would be 7 advisories on this Patch Tuesday, but we only got 6. It makes you wonder what they held back and why.

That aside, there are a couple of things to know about today's advisories and patches. Here's the breakdown:

  • MS07-055 -- Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution

    The first thing I thought when seeing this is, "how many people have the Kodak Image Viewer installed?" It turns out, a lot. It was installed on all Windows 2000 machines and is still installed on Windows XP machines that were upgraded from Windows 2000.

    This vulnerability is very similar to other extremely critical image handling vulnerabilities that have wreaked havoc on Windows operating systems lately. If you even browse to a folder with a malicious image on a vulnerable machine, the malicious image will be able to execute code on your system. So this impacts anything that displays images from Windows Explorer thumbnails and previews to Internet Explorer and Outlook.

    Microsoft does mention that if you have installed Office 2003, the Kodak Image Viewer may have been replaced by a different image viewer.

    This is a potentially extremely serious vulnerability, but at this time the details for how to exploit it are almost non-existent and there are no exploits in the wild.

  • MS07-056 -- Security Update for Outlook Express and Windows Mail

    This relates to how a URL that starts with nntp:// can be used to point a user to a malicious news server (potentially without user interaction if the URL is used as an image source) that overflows memory and potentially executes arbitrary code.

    The malicious news server must be custom and has to know how to overflow the handler. There are no examples and no exploits in the wild, but there's enough information for someone to create an exploit without undue difficulty. This is definitely a critical issue.

  • MS07-057 -- Cumulative Security Update for Internet Explorer

    This is actually three separate vulnerabilities in JavaScript on Internet Explorer from version 5 through 7. All Windows operating systems including Vista are affected. Two of the vulnerabilities use JavaScript tricks to make a person think they've navigated to a particular website when in fact they haven't. This could be exploited by phishers to trick people into thinking they're legitimately at their bank's website (or paypal, or ebay, etc.). There are several publicly available demonstrations showing how to exploit this. Patch immediately.

    The other issue in this update is a heap overflow caused when a script starts several download attempts of the same file and then frees the memory for those download attempts.

    To alleviate both of these issues, consider using FireFox instead of Internet Explorer and consider trying the NoScript plugin to FireFox.

  • MS07-058 -- Vulnerability in RPC Could Allow Denial of Service

    This vulnerability reminds me a bit of the old ping of death. A specially crafted windows file-sharing authentication message will cause a computer to spontaneously reboot. Microsoft recommends that people firewall UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. If you have a gateway firewall, it should block these ports by default. If not, you should strongly consider installing a personal firewall such as ZoneAlarm.

  • MS07-059 -- Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site

    If you use SharePoint, you should be aware that an authenticated user could increase their privileges through a cross-site scripting (XSS) vulnerability. We don't view this as a critical vulnerability.

  • MS07-060 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution

    This incorporates 4 separate vulnerabilities in Word for Windows and for Mac that could be exploited by a malicious Word document. The most serious of these issues is a recurrence of an older vulnerability that most security products have some degree of protection for already.

For the moment, the risks are not terribly high, except for potentially harder to detect phishing attacks. However, exploits for the other vulnerabilities could appear at any time, so users are encouraged to update their systems as soon as possible.