Microsoft's Latest Security Updates -- The Good, the Bad, and the Ugly (Page 1 of 3 )
In mid-July, Microsoft released seven "security bulletins" -- also known as patches -- covering vulnerabilities in a variety of their programs. Those of you who want fairly in-depth information about these patches should go to Microsoft's Web site, where you'll find a whole section on security, and a Webcast that goes into lots of detail about each patch. The Webcast covers who is affected, what the workarounds are, and whether you need to install each particular patch. But it's what Microsoft doesn't say -- or at least, doesn't emphasize -- that should have users up in arms.
For the record, Microsoft rates one of these patches "moderate," four "important," and two "critical." Microsoft decides whether a patch is "important" or "critical" based on how much a user has to do to trigger the vulnerability; if a user has to visit a specific Web site or open an executable item in an e-mail, that's only "important," not "critical." It goes without saying that if you've got clueless users on your network who don't practice safe computing, you might as well consider these fixes "critical."
The first of these seven patches, the "moderate" one, is a security update for Outlook Express meant to help prevent denial of service attacks. You need it if you're using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003. It is not that important if you don't actively use Outlook Express, however.
The second patch covers a vulnerability in Utility Manager. Without the patch, an attacker could send a specially crafted message to Utility Manager and run any application in the system context. The reason this patch is "important" rather than "critical," though, is that an attacker must log on locally -- not remotely -- and must have valid logon credentials to exploit this vulnerability. If you use Windows 2000 and the Utility Manager, this patch is for you. You could also just disable the Utility Manager service. The third patch covers a similar vulnerability in both Windows NT 4.0 and Windows 2000 -- this time with POSIX. It's a buffer overrun vulnerability, but it has the same effect, the same preconditions (an attacker must log on locally and have valid credentials) and the same workaround (disable POSIX).
The fourth patch, also rated "important," for Windows NT 4.0, covers Internet Information Server (IIS) 4.0. This buffer overrun vulnerability in the redirect function in IIS can enable code to execute in the system context. An attacker sends a specially malformed message to IIS to take advantage of this weakness. You can also handle this problem by disabling permanent redirects.
The fifth patch, rated "critical" for Windows 2000 and Windows XP, involves a buffer overrun vulnerability in Task Scheduler that allows code execution. The only good news about this one is that the code executes in the user's context -- so an attacker can't do anything that a user can't do. (Think of it as yet another good reason to grant your users only the privileges they absolutely need to do their jobs effectively). Attackers exploit this weakness via either a malicious Web site or an e-mail attachment. Educate your users not to go to suspicious Web sites or open unexpected e-mail attachments; even with educated users, you may still want to install this patch.
The sixth patch, also rated "critical," affects damn near everything: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows 98, Windows 98 SE, and Windows ME. It concerns ShowHelp and HTML Help, and attackers exploit this weakness the same way they exploit the Task Scheduler vulnerability: through a malicious Web site or e-mail. They get the same result: they can only do as much damage as that user could do. To mitigate the damage, according to Microsoft, you should make sure HTML e-mail gets opened in the Restricted sites zone (some versions of Outlook Express do this by default), use IE 6.0 or later, and install the latest cumulative security update for IE.
The final patch, rated "important," covers a vulnerability in the Windows Shell that could allow remote code execution. It affects Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. (It's worth noting that this patch is not considered critical for Windows 98, Windows 98 SE, or Windows ME). An attacker uses a malicious HTML page, either hosted on a Web site or sent as e-mail; if successful, the attacker's code would run in the user's context.
Bear in mind, for this particular problem, you need to use one patch if you have Active Desktop and a different patch if you don't. If you use the patch for systems without Active Desktop, and you have Active Desktop, then you will not be able to use Active Desktop anymore. If you don't know whether you have Active Desktop installed, there's an article (Knowledge Base Article 216840) available from Microsoft that will tell you how to find that out.
How to Find out if You Need the Patches
Okay, so how do you find out whether you need these patches? For the last six of them, you can use Microsoft's Baseline Security Analyzer (MBSA). If you want to get them all, they're detected automatically by the Software Update Services Client. You can also use System Management Server (SMS) 2.0 for both detection of systems that need the patches and for deploying the patches. SUS Client will also do the job, and it will consolidate the updates into a single reboot.
Next: Three Configuration Changes >>
More Windows Security Articles
More By Terri Wells