Everyone has different reasons for exposing Windows security flaws. Some do it for avenging a fellow security researcher's insult, others to bring home the bacon. Unlike the Microsoft -Spurned Researcher Collective, which falls in the former category, Danish security firm Secunia's motivation is purely pecuniary.
“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” Secunia said on its site.
According to group manager Jerry Bryant, “Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP.” However, he is unaware of any attacks based on the vulnerability.
Today, Microsoft released a trio of security bulletins covering all currently-supported Windows versions. Users of Windows 2000 SP4 through Windows Vista SP1 (as well as Windows Server 2003 and 2008) need to install the update for the critical Windows kernel vulnerability noted in Security Bulletin MS-09-006. The other two bulletins (MS09-007 and MS09-008) solve important vulnerabilities in SChannel (007) and DNS/WINS Server (008); these bulletins apply to Windows 2000 SP4 through Windows XP and Server 2003 only.
Other updates to look for include the usual updates to the Malicious Software Removal Tool and the Windows Mail junk email filter. If you're on Automatic Updates, follow instructions to reboot if needed after installation. If you prefer to be in charge, don't forget to download and install these as soon as possible.
When Windows Vista launched back in January of 2007, incompatibility was a term that was synonymous with the new OS. Things have clearly improved since then, but almost everyone has at least one or two applications that simply refuse to run, and probably will never see an updated version. The problem for Microsoft grows even larger when you look at businesses that often have very custom mission critical applications that tend to be rather fussy about their operating environment. For these businesses, Vista was simply not an option. The use of virtualization as a solution to incompatibility is nothing new. Unfortunately in most cases it is an overkill approach that requires multiple OS licenses, and a beefy enough rig to support both the guest and host environments.
Those in search of a better solution are overjoyed by the launch of Microsoft's Enterprise Desktop Virtualization Beta, also known as MED-V. The release was announced on the official MDOP blog where Senior Product Manager Ran Oelgiesser seemed enthusiastic about the future of embedded virtualization. “For those of us on the MED-V product team, our primary goal was to deliver an enterprise virtualization solution for the compatibility challenges that IT teams have with some of their line-of-business applications, during the upgrade to new operating systems (like Windows Vista). With MED-V 1.0, you can easily create, deliver and centrally manage virtual Windows XP or 2000 environments (based on Microsoft Virtual PC 2007), and help your users to run legacy applications on their Windows Vista desktops”. MED-V is slated to leave beta in Q2 2009.
With the Windows 7 launch on the horizon, is this too little too late?
This month's Patch Tuesday, unlike October's, is a quiet one, with just two security bulletins:
MS08-069 solves a remote code execution vulnerability in Microsoft's XML Core Service that is rated as Critical for version 3.0 and Important for later versions. All 32-bit and 64-bit desktop versions of Windows from Windows 2000 SP4 through Windows Vista SP1 are affected, as well as Microsoft Office 2003 and 2007. The Exploitability Index is 1 (Consistent Exploit Code Likely - the most serious ranking) or 2 (Inconsistent Exploit Code Likely), depending upon the version of XML Core Services installed. Windows Server 2003 and some installations of Windows Server 2008 are also affected.
MS08-068 patches a remote code execution vulnerability in the SMB protocol. MS08-068 is rated as Important for Windows 2000 SP4 and Windows XP, and Moderate for Windows Vista. Windows Server 2003 and all Windows Server 2008 installations are also affected. Despite Microsoft's rating this vulnerability as only Important rather than Critical, MS08-068's Exploitability Index is 1 because exploit code targeting Windows XP is already public.
That's it for Patch Tuesday security bulletins, both of which will be arriving soon via Windows Update (or can be downloaded manually if you prefer). What else has Microsoft served up?
The only non-security content this time is the usual monthly update for the Malicious Software Removal Tool (KB890830; not yet updated as this article was posted now updated) and the usual monthly update for the Windows Mail junk mail filter (KB905866), available in 32-bit and 64-bit versions.
Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.
Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.
To find out what makes this vulnerability so critical, and to learn how to get the update, join us after the jump.
October's Patch Tuesday's bigger than normal, with 11 security bulletins (four critical, six important, and one moderate) affecting the following desktop operating systems and applications:
Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, Windows XP, and Windows Vista get patched to stop a remote code execution threat
Windows XP SP2 and SP3 and Windows XP Professional x64 and XP Professional x64 SP2 will be patched to stop elevation of privilege attacks
Windows 2000 SP4 through Windows Vista SP1 will also be as updated needed to prevent remote code execution
Microsoft Excel 2000 SP3, Excel 2002, Excel 2003 SP2/SP3, and Excel 2007/2007 SP1 will be updated against a critical vulnerability, as will Excel Viewer 2003/2003 SP3, Excel Viewer, and MS Office Compatibility Pack and Compatibility Pack's SP1.
What else is coming down the chute starting Tuesday?
Windows Vista Media Center gets a pair of updates (one for the TV Pack, and one for everyone), as well as the usual updates to the Malicious Software Removal Tool, Windows Mail Junk Email Filter and Customer/Windows Vista Experience Improvement Program.
However, the biggest news is the premiere of the Microsoft Active Protections Program and Exploitability Index we told you about in August. Hopefully, these programs will aid the never-ending battle against the bad guys in cyberspace.
It's a super-sized Patch Tuesday this month, and here's what to expect Windows Update to be sending you in the next day or so (if not already). Follow the links if you prefer to install the updates immediately.
Critical updates include:
A fix for a remote code execution vulnerability in Windows Image Color Management affects users running Windows XP, Windows Server 2003, and Windows 2000 SP4 (Windows Vista users can breathe easy on this one).
A fix for a sextet of vulnerabilities in Internet Explorer 5.01, 6, and 7 affects users of Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003, Windows Vista, and Windows Server 2008.
A fix for a remote code execution vulnerability in the ActiveX control for Microsoft Access's snapshot viewer affects Office 2000 SP3, Office XP SP3, and Office 2003 SP2 and SP3 (Office 2007 users, you ducked this one).