Microsoft Patches 21 Bugs In Windows, Exchange, Office

In the biggest monthly patch roll-out of the year, Microsoft on Tuesday disclosed 21 flaws in Windows, Exchange, and Office, and said that users needed to "install the update immediately" for the seven bulletins tagged as "Critical."

In the 10 security bulletins posted on its Web site, Microsoft outlined bugs in almost every supported edition of Windows, in the Excel spreadsheet, and in Exchange 2000 and 2003.

The previous 2004 record for the largest number of security bulletins released in a month was July, when the Redmond, Wash.-based developer posted eight. In April, however, Microsoft noted two dozen vulnerabilities collected in four bulletins.

The majority of the vulnerabilities (20 out of the 21) and critically-ranked bulletins (6 of the 7) were within various editions of Windows, ranging from the aging Windows NT to the relatively new Windows Server 2003. The only version that escaped a patch was Windows XP Service Pack 2 (SP2).

Among the wide-ranging slew of bugs was one which makes any program rendering WMF- (Windows Metafile) or EMF-format (Enhanced Metafile) image files a hacker entry point, much like September's JPEG bug opened up Windows to hijack via that image file format.Other vulnerabilities reported Tuesday lie in how Windows XP and Windows Server 2003 handle compressed files in the .zip format. Users enticed to a malicious Web site with specially crafted ZIP files, or fed the same by e-mail, could see their PCs grabbed by attackers.

"This is one we're really looking at hard," said Brian Mann, the outbreak manager for McAfee's AVERT research team. "It's such as common format," he added, "and users have been turning to it because other formats, like .exe, are being blocked."

The SMTP and NNTP components within Windows Server 2003 and Exchange can be exploited by hackers, as well, said Microsoft, because of the way the former handles domain name system (DNS) lookups, and due to an unchecked buffer in the latter. A determined hacker could use the vulnerability to gain control of systems or cause the SMTP service to fail, crashing the mail server. Anyone sending a malicious message to an affected PC -- those running NT Server 4.0, Windows 2000 Server, or Windows Server 2003 -- could conceivably get command of the machine. The NNTP vulnerability is particularly insidious, said Microsoft, because it could affect even those machines not using NNTP.

"I wouldn't make a blanket statement," said Oliver Friedrichs, the senior manager of Symantec's security response team, "but the network vulnerabilities, those in the SMTP or NNTP or WebDAV components, those are the ones we see as having the highest criticality.

"It's not likely that these vulnerabilities will affect many organizations," he added, "but enterprises should look at the servers they're running to make sure they're not impacted, or if they are, that they patch."Another critical vulnerability exists in the Windows Shell function of every edition of Windows since 98, except for the newest security update, Windows XP SP2. If a user is running the PC with administrator privileges, the computer can be hacked by the attacker -- possibly controlling it remotely -- if the user views a malicious Web site crafted with the intent of exploiting this buffer overflow vulnerability.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 have also been patched against eight separate vulnerabilities, including some that have gone unfixed for months. The drag-and-drop bug within IE, for instance, which was first disclosed in July -- the flaw left users open to attack if they visited a Web site -- has now been squashed, Microsoft said.

Of the eight bugs in IE, Symantec's Friedrichs noted that five could be exploited by hackers drawing victims to malicious Web sites, and the other three make it easier for phishing attacks to trick end users into divulging personal information.

The one non-Windows bulletin relates to Excel, the spreadsheet included with Microsoft Office. By creating a purpose-built file, an attacker could gain control of a PC running Excel 2000 or 2000 (Windows), or v. 1 or 2001 (Mac).

This bug, as others including this month's Metafile and ZIP and last month's JPEG vulnerabilities, got grouped by Friedrichs into something he called "content parsing flaws."The danger of this category, he went on, is that it's exploitable simply by getting users to open a file, or in many cases, by just viewing a Web site. Although some user interaction's required, it may be minimal.

"We haven't seen too much of this kind of vulnerability in the past, but it's clearly evident in this release that these types are growing in number," said Friedrichs. "It could be that we're exhausting the vulnerabilities in network and common services. They've gotten so much scrutiny, we've raised the bar there, that researchers are moving on and [finding] these content parsing flaws."

One item of interest is that XP SP2 -- the update launched in August that Microsoft promised was its biggest-ever security upgrade for an OS -- was not susceptible to any of the 20 Windows bugs.

McAfee's Mann said that his group was delving into SP2 to "see why it escaped" and Friedrichs of Symantec praised the update. "From what we can see [with this list], it seems like [Microsoft] resolved many of the security issues and has taken a step forward by re-architecting XP with SP2."

Patches for the 21 vulnerabilities can be downloaded via the Windows Update service and Office Update site, while Automatic Update, Windows' in-the-background patching system, will begin to download and/or install the fixes on some systems Tuesday.For more information on the bugs, steer first to Microsoft's Security site, which includes links to the individual bulletins.