NEWS Microsoft on Tuesday issued fixes for 14 flaws in Windows, including a security hole that one expert says is ripe for exploitation by a major worm.
The majority of the vulnerabilities addressed in nine security bulletins from Microsoft require some user interaction for an attack to succeed. That means an attacker would have to trick people into visiting a malicious website, clicking on a bad link or opening a malformed file to exploit the security holes.
However, the vulnerabilities rated "critical" may allow a system to be compromised remotely without any user interaction. One such flaw, described in Microsoft's MS05-051 security bulletin, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.
Marc Maiffret, the chief hacking officer at security specialist eEye Digital Security, said: "It is a remote system vulnerability that could very easily be turned into a worm. It is very similar to the vulnerability two months ago that resulted in the Zotob worm."
The MSDTC buffer overflow flaw primarily affects computers running Windows 2000. Depending on configuration, it could also be used against a computer with Windows XP with Service Pack 1 or Windows Server 2003, Microsoft said in its advisory.
Stephen Toulouse, a program manager in Microsoft's Security Response Center, said: "Among the critical updates, customers who run older versions of the operating system such as Windows 2000 should prioritise MS05-051 for deployment on those systems."
The MS05-051 update also fixes three other bugs in Windows but these carry varying risk ratings, depending on the operating system. One, deemed critical, is a flaw in a Windows component that handles resource management tasks, called COM+. This security hole is also found in Windows 2000 and Windows XP SP1.
People who run older versions of the operating system are more at risk from the MSTDC and COM+ vulnerabilities, Toulouse said. That goes for the rest of the rest of the 14 flaws tackled by the patches issued on Tuesday.
Toulouse said: "In general, many of these bulletins have a lower impact in terms of severity and are much more difficult to exploit on newer operating systems such as Windows XP SP2 and Windows Server 2003 SP1."
Despite being put on the back burner by Microsoft, the older Windows 2000 is still popular among corporations.
Both the MSDTC and COM+ flaws were privately reported to Microsoft by researchers following the company's "responsible disclosure" practices. The software giant said it is not aware of any attacks that exploit the flaws.
Maiffret of eEye said he believes it will be only a matter of days for the first attack code to surface. "There is no technical challenge in writing a worm for the [MSDTC] vulnerability. It really depends if somebody decides to or not," he said.
Microsoft's Toulouse said the software giant will be watching for malicious software.
Microsoft has labelled two other security alerts as critical. One patch, delivered in MS05-050, fixes a problem in software for streaming media in Windows, called DirectShow. The other, in MS05-052, repairs problems in Internet Explorer similar to those patched in July and August.
Joris Evers writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. anonymous
Still no sign of any updates having arrived since the download process seemed to die on Tuesday evening so I guess it did die.
2. anonymous
Following my last comment the MS Update icon appeared again in the system tray this afternoon, 13.10.05, and then vanished again.
No I am getting 'Communication Error' problems with my Epson Photo printer. I have seen this before after MS updates and have had to resort to re-installing the driver. Looks like its happened again even though the Update process seems stalled.
Little wonder folk use Macs and Linux.
3. anonymous
Not sure if this is technically possible or not, but why don't the "hole pluggers" who patch security holes in Microsoft OS's start writing software which lures, ID's, and traps the culprits who attack?
For instance, they (the attackers & virus writers etc) lure and tag the victims with a virus or spyware. Would it be possible to use the same approach from the OS pov? ie: write decoy routines designed to trick, tag, & track virus progs back to the source?
Maybe this is already done. ?
4. anonymous
Just over a week down the road since applying the MS Updates which in desparation, after the AutoUpdate icon in the system tray had popped up and vanished again, I went through the fetch routine in Security Centre, I am finding a number of applications have developed instability and weird behavioural symptoms.
In particular an Epson printer driver that insists on not printing to the bottom edge of a photo image (this edge is also cropped in the printer driver preview window) despite the print preview in three different imaging applications showing the complete image. This has lost me a week, one full of frustration in trying different driver versions and USB cables etc., (phoning Epson Tech' Sup' without any solution forthcomming) and still not finding a cure. All I can do is work around it. Argh!
Another odd thing about AutoUpdate was that I had downloaded and the install process was just about finished when the AutoUpdate icon appeared in the system tray along with the bubble telling me that Updates were available to fetch. I wonder what would have happened if I had elected to fetch and install again?