In its monthly scheduled security update, Microsoft released four sets of patches, totaling 33 updates, to counter several vulnerabilities in the company’s widely used Windows operating system and other software products. Microsoft said three of the four patch sets are “critical vulnerabilities,” with the fourth rated as “important.”
Absent its program for a more automatic and forceful patching process — planned with the new Windows Update Services set for release later this year — the software giant urged users to apply the patches immediately.
While there was serious concern about the three critical areas of vulnerability — in versions of Windows Server, Outlook and Windows XP — Gartner vice president Richard Stiennon told TechNewsWorld that the security issue rated “important,” a potential for the execution of remote code via Microsoft’s Jet Database Engine 4.0, is the most serious one.
“I would say this is as critical as the original vulnerability in IIS that allowed SQL Slammer,” Stiennon said of the database engine vulnerability. “It sounds a lot like it could enable a SQL Slammer- and Nimda-like worm.”
Pouring On Patches
Microsoft’s release of the four patches for different versions of its software products comes as the company’s sixth monthly cycle release, which is aimed at easing the burden of patching and allowing for predictable scheduling.
The first series of patches deals with several vulnerabilities in Microsoft’s Windows NT Workstation and Server, Windows XP, Server 2003, NetMeeting and related service packs. The newly discovered vulnerabilities could allow an attacker to take control of a system, install programs, view, change or delete data, or create new privileged user accounts.
A second patch set is for a variety of Windows XP, NT and Server 2003 systems, as well as Windows 98, 98SE and ME, to avoid a system compromise through several newly discovered vulnerabilities in the remote procedure call (RPC) protocol that was the origin of the Blaster worm weakness last year.
The third patch series is intended to head off a security hole in Outlook Express that could allow an attacker to access files and take complete control of the affected system, even if Outlook Express is not used as the default e-mail reader on the system, Microsoft said.
Microsoft’s fourth series of patches is for the Jet Database 4.0 issue, which Stiennon said means servers blocking the SQL requests that allowed the Slammer worm will have to be patched again. “We know from history that people aren’t very good at patching,” he said.
Michael Sutton, director of iDefense Labs, said the number of critically rated vulnerabilities highlights the importance of the Microsoft patches.
“When eight of 20 are what they thought to classify as critical, it’s pretty significant,” Sutton told TechNewsWorld. “Critical means they’re remotely exploitable, and they also emphasize that a critical one is something that could be taken advantage of through malicious code, which has been a problem for Microsoft for a long time.”
Stiennon said that while Microsoft’s monthly patching has helped organizations, the process of applying updates to thousands, or in some cases tens of thousands, of PCs is still a painful one.
“Enterprises are working the patching process in better, but it’s still extremely expensive to patch every month,” he said.
Time’s Up for Patching
Sutton, whose company worked with Microsoft on the discovery and confrontation of one of the critical security holes, praised Microsoft’s monthly patching routine and also the software giant’s work with iDefense. However, he indicated there is a need for Microsoft to cut down the time between disclosure of a vulnerability and release of a patch.
“The thing they have to work on are the timelines out there,” Sutton confirmed. “The average is about three to six months from the time reported to the time patched, and that’s not a good one. Just because we haven’t done a public release doesn’t mean others will not. Not everybody is as responsible. There’s definitely pressure on Microsoft to reduce timelines.”
Stiennon, who has criticized Microsoft for depending on a lack of disclosure around vulnerabilities, said that, unfortunately, even faster disclosure and patching of holes would not help in the case of a zero-day worm, which would attack before availability and application of a fix.
“There’s not a big difference [from disclosure to disclosure],” Stiennon said. “Either way, we’re in trouble.”