Microsoft's Latest Security Updates -- The Good, the Bad, and the Ugly
In mid-July, Microsoft released seven "security bulletins" -- also known as patches -- covering vulnerabilities in a variety of their programs. Those of you who want fairly in-depth information about these patches should go to Microsoft's Web site, where you'll find a whole section on security, and a Webcast that goes into lots of detail about each patch. The Webcast covers who is affected, what the workarounds are, and whether you need to install each particular patch. But it's what Microsoft doesn't say -- or at least, doesn't emphasize -- that should have users up in arms.
Contributed by Terri Wells Rating: / 8 July 26, 2004
For the record, Microsoft rates one of these patches "moderate," four "important," and two "critical." Microsoft decides whether a patch is "important" or "critical" based on how much a user has to do to trigger the vulnerability; if a user has to visit a specific Web site or open an executable item in an e-mail, that's only "important," not "critical." It goes without saying that if you've got clueless users on your network who don't practice safe computing, you might as well consider these fixes "critical."
The first of these seven patches, the "moderate" one, is a security updatefor Outlook Express meant to help prevent denial of service attacks. You need it if you're using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003. It is not that important if you don't actively use Outlook Express, however.
The second patch covers a vulnerability in Utility Manager. Without the patch, an attacker could send a specially crafted message to Utility Manager and run any application in the system context. The reason this patch is "important" rather than "critical," though, is that an attacker must log on locally -- not remotely -- and must have valid logon credentials to exploit this vulnerability. If you use Windows 2000 and the Utility Manager, this patch is for you. You could also just disable the Utility Manager service. The third patch covers a similar vulnerability in both Windows NT 4.0 and Windows 2000 -- this time with POSIX. It's a buffer overrun vulnerability, but it has the same effect, the same preconditions (an attacker must log on locally and have valid credentials) and the same workaround (disable POSIX).
The fourth patch, also rated "important," for Windows NT 4.0, covers Internet Information Server (IIS) 4.0. This buffer overrun vulnerability in the redirect function in IIS can enable code to execute in the system context. An attacker sends a specially malformed message to IIS to take advantage of this weakness. You can also handle this problem by disabling permanent redirects.
The fifth patch, rated "critical" for Windows 2000 and Windows XP, involves a buffer overrun vulnerability in Task Scheduler that allows code execution. The only good news about this one is that the code executes in the user's context -- so an attacker can't do anything that a user can't do. (Think of it as yet another good reason to grant your users only the privileges they absolutely need to do their jobs effectively). Attackers exploit this weakness via either a malicious Web site or an e-mail attachment. Educate your users not to go to suspicious Web sites or open unexpected e-mail attachments; even with educated users, you may still want to install this patch.
The sixth patch, also rated "critical," affects damn near everything: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows 98, Windows 98 SE, and Windows ME. It concerns ShowHelp and HTML Help, and attackers exploit this weakness the same way they exploit the Task Scheduler vulnerability: through a malicious Web site or e-mail. They get the same result: they can only do as much damage as that user could do. To mitigate the damage, according to Microsoft, you should make sure HTML e-mail gets opened in the Restricted sites zone (some versions of Outlook Express do this by default), use IE 6.0 or later, and install the latest cumulative security update for IE.
The final patch, rated "important," covers a vulnerability in the Windows Shell that could allow remote code execution. It affects Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. (It's worth noting that this patch is not considered critical for Windows 98, Windows 98 SE, or Windows ME). An attacker uses a malicious HTML page, either hosted on a Web site or sent as e-mail; if successful, the attacker's code would run in the user's context.
Bear in mind, for this particular problem, you need to use one patch if you have Active Desktop and a different patch if you don't. If you use the patch for systems without Active Desktop, and you have Active Desktop, then you will not be able to use Active Desktop anymore. If you don't know whether you have Active Desktop installed, there's an article (Knowledge Base Article 216840) available from Microsoft that will tell you how to find that out.
How to Find out if You Need the Patches
Okay, so how do you find out whether you need these patches? For the last six of them, you can use Microsoft's Baseline Security Analyzer (MBSA). If you want to get them all, they're detected automatically by the Software Update Services Client. You can also use System Management Server (SMS) 2.0 for both detection of systems that need the patches and for deploying the patches. SUS Client will also do the job, and it will consolidate the updates into a single reboot.
So much for the patches -- but we're not done yet. In addition to these seven security bulletins, Microsoft also recommended three configuration changes to enhance security. These changes affect Internet Explorer 6.0 and Outlook Express 5.5 SP2. If you use either of those, you might want to pay attention.
Disable ADODB.Stream in Windows ActiveX Control
First, for Internet Explorer 6.0, ADODB.Stream in Windows ActiveX Control needs to be disabled. This change applies to Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows 98, Windows 98 SE, and Windows Millennium Edition. To fix this problem, you're going to have to modify the registry; make sure you make a back-up first. Knowledge Base Article 870669 contains the information you'll need to make this change. Why does this configuration need to be changed? When the normal configuration is combined with certain well-known security vulnerabilities in IE, an attacker can use a malicious Web site to execute script from the victim's Local Machine zone. That's because, when ADODB.Stream is enabled, and hosted in IE, it permits access to the hard disk.
Limit Shell Automatic Service ActiveX Control
For the second configuration change, you'll need to limit the functionality of the Shell Automatic Service ActiveX control (shell.application). This fix is included in the seventh security bulletin. It's also available through Windows Update or the Microsoft Download Center.
Read HTML Mail in Restricted Zones
The third configuration change is included with the first patch. This one is especially for Outlook Express 5.5 SP2. It forces users to read HTML mail in the restricted zones of the program. This way, users (and networks) will be less likely to fall victim to malicious code sent in e-mail.
Some of you are probably wondering about the Download.ject issue. Microsoft discovered the issue in late June 2004; it affects users of IE -- but take note, users of Windows XP Service Pack 2 Release Candidate 2 (Windows XP SP2 RC2) are not affected by this security problem. For those who haven't heard about it -- Download.Ject is one of those nasty infectious programs. All you have to do to fall victim is visit a Web site hosted on a server that's infected with Download.Ject. The Web pages download a Trojan horse to the victim's computer. This Trojan horse may go by one of several names: "Backdoor: W32/Berber," "Backdoor-AXJ," "Webber," or "Padodor." Make no mistake, it's nasty; it can watch you surfing the Internet and capture your logon names and passwords, and it can even open fake dialogue boxes to try to get you to give it information such as your ATM card codes, credit card numbers, and who knows what else.
How to Find out if Your PC is Infected
Microsoft has released a cleaner tool that automatically detects if a PC user's system has been attacked by Download.ject, and gets rid of the malicious code. You can check it out at http://www.microsoft.com/downloadject. Once you get to the page, you can simply click on a button to find out if your PC is infected; I was very relieved, just a few clicks and a few seconds later, to find out that my own PC was not infected with this particular Trojan horse.
NT 4.0 Server Support Ending Soon
So this is the good (and some of the bad); what's the ugly? If you use Windows NT 4.0 Workstation, you may already know about this, and if you don't know, you need to: this is the last security release that supports that operating system. Microsoft will continue to support Windows NT 4.0 Server, but only through December. And, for those of you using pirated copies of Windows XP, this security update may not work at all. Granted, it's wrong (not to mention illegal) to pirate software. However, insecure pirated copies of software can still spread all sorts of nasty things to a variety of systems and networks. Microsoft wants us to think that it takes security seriously now. If so, it needs a better answer to give users of pirated and soon-to-be-"obsolete" software.
Windows Security 
Microsoft Patch Update for July
