Another month, another batch of Microsoft security fixes.
This month’s Patch Tuesday distribution shows that even the newest offerings from Redmond contain holes that malicious yet savvy hackers can exploit. In fact, all of the seven advisories — covering 19 flaws — described in the latest Patch Tuesday were labeled by Microsoft as being “critical.” That means they might allow attackers to easily gain control of a system.
The patches are for vulnerabilities discovered in Microsoft’s newest Web browser, Internet Explorer 7, as well as Office 2007 and Exchange 2007.
While Patch Tuesday surely provides fodder for cynical sneering from Macintosh advocates, some computer security professionals said Microsoft deserves credit for supporting the work of the independent researchers who help find the flaws and for regularly admitting it can’t be perfect.
People should appreciate, and act upon, Microsoft’s announcements, Graham Cluley, a senior technology consultant for Sophos, told TechNewsWorld.
“As always, if Microsoft is prepared to stand up and say ‘Whoops! We’ve got holes in our software,’ then the world better be prepared to listen,” said Cluley. “The correct response is make sure that your company is protected with the patches, and is not vulnerable to these types of exploits.”
The Patch Tuesday fixes make it clear that, despite Microsoft’s best effort to create software that’s bulletproof out of the box, doing so is a very difficult task.
Keep Up Your Guard
This month’s and last month’s Patch Tuesdays revealed holes that might impact users of even the new, supposedly tighter-than-ever versions of Microsoft software, Cluley noted. The patches included fixes for Windows Vista flaws.
“Hackers have shown no mercy in the past taking advantages of vulnerabilities in Microsoft’s code, and taking action now will help defend your network and keep your company out of trouble,” wrote Cluley on the Sophos Web site.
Companies should take the Patch Tuesday reports as proof they need to hire or assign somebody to be in charge of network security, he said. “If you haven’t already done so, you need to task staff in your business with the job of being responsible for securing your defenses,” said Cluley. “Being aware of the latest security patches is a must.”
Ghosts in the Machines
Companies might want to pay particular attention to the updates labeled “MS07-026” and “MS07-029,” which fix problems discovered in Exchange 2007 and the Windows DNS (Domain Name System) server.
The Exchange 2007 flaws, of which there are four, could result in the compromise of systems that run the e-mail server software. The MS07-027 patch repairs six flaws in Internet Explorer that could make the browser prey for exploitation by malicious Web sites.
Bulletin MS07-028 addresses a vulnerability in “Capicom,” a cryptography technology used by BizTalk Server. This flaw could allow attackers to gain control over a computer.
Bad Sites, Bad Files
Most of the security holes are designed to be exploited when people browse to bogus Web sites or open infected malicious files. As usual, the Patch Tuesday repairs will be made available through Windows Automatic Updates, but they can also be downloaded from Microsoft Update and Windows Update.
Unfortunately, by revealing the flaws, Microsoft alerts bad guys to their existence, noted Cluley.
“In the past, we’ve seen hackers race to exploit vulnerabilities within days of Microsoft announcing them,” he said. “It wouldn’t be a surprise if we saw that happen again.”
Experts found that a worm now “spreading in the wild” is exploiting the DNS flaw, and Cluley said the patch for that flaw has been “eagerly anticipated.” The hole allowed worms, including W32/Delbot-AI, also known as “Nirbot” or “Rinbot,” to turn PCs into part of a “zombie network” last month, according to Sophos.
Predictability Is Good
While some observers criticize Microsoft for waiting a month to tell the world about flaws, Tod Beardsley, lead counter-fraud engineer at Tipping Point, told TechNewsWorld the Patch Tuesdays are a good idea.
“Microsoft has a lot of users,” he noted. “A lot of people get affected … People say, ‘Gee, Microsoft should patch faster.’ But it’s very difficult. It’s amazing when they do get this stuff out intra-month. If they discover something on a Monday and have a patch available by Friday, that means you had a whole bunch of people at Microsoft working 24 hours all week long.”
Most corporate IT technicians prefer knowing when the new patches will be coming, he said. “In the old days, they would release this stuff willy-nilly,” said Beardsley. “At least with this, customers know that on Tuesday evening things are going to be happening with their infrastructure. It’s really handy.”