This month’s Patch Tuesday arrived with a rather unwelcome security surprise.
Microsoft had expected things to be somewhat sedate; however, instead of two vulnerabilities that it expected needed patching, it got hit with four, including a new zero-day Internet Explorer exploit.
Further, Microsoft has had to update its Malicious Software Removal Tool to include Win32/Helpud, a Trojan that’s been around since 2008. In addition, it’s keeping an eye on a VBScript vulnerability that could allow remote code execution.
Lazy, Crazy, Hazy Days Are Gone
On Monday, Microsoft issued its advance notification security bulletin for Patch Tuesday. This slated Bulletins MS 10-016 and MS 10-017 for release Tuesday.
On Tuesday, it added Bulletins MS 09-033; 981374, revived a warning about the Win32/Helpud Trojan first published in December 2008, and said it “continues to monitor” the threat landscape around Security Advisory 981169 about the VBScript vulnerability.
The expansion was unexpected. “Contrary to what we expected last week, the Microsoft March security announcement has a little surprise in it,” Wolfgang Kandek, chief technology officer of Qualys, wrote in his blog.
He described Windows Producer as “a little-used multimedia add-on to PowerPoint”.
Another Day in IE
A new Internet Explorer vulnerability, which could allow remote code execution, has surfaced.
Like the vulnerability that led to hack attacks on Google and more than 20 other large American companies — a series of events that escalated to spark off a war of words between the United States and China — this latest flaw is due to an invalid pointer reference, according to Redmond.
However, the two are unrelated, Microsoft spokesperson Jerry Bryant told TechNewsWorld.
Microsoft’s investigations show that IE 6 Service Pack 1 on Windows 2000 Service Pack 4, and standalone versions of IE 6 and IE 7 are vulnerable. However, IE 8 and IE 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected.
Other New Vulnerabilities
MS 10-016 lists a vulnerability in Windows Movie Maker and Microsoft Producer 2003 that could allow remote code execution. Windows Movie Maker versions 2.1; 2.6; and 6.0 are all affected.
Customers with automatic updating set up will have the Movie Maker vulnerability taken care of. However, Windows Producer could pose more of a problem.
“There is no patch for the Producer add-on yet,” Qualys’ Kandek told TechNewsWorld. “Users should probably just uninstall it, because according to Microsoft, it has a very small installed base.”
The vulnerability affects Windows XP Service Packs 2 and 3; Windows XP Professional x64 Edition SP2; and all versions of Windows Vista, including service packs.
It does not affect Windows Live Movie Maker, which is available for Windows Vista and Windows 7.
However, Windows 7 users who download and install Movie Maker 2.6 could be affected.
MS 10-17 lists seven vulnerabilities in Microsoft Excel that could allow remote code execution if a user opens a specially crafted Excel file. Such files are sometimes sent to selected targets in spearphishing attempts — attacks directed at selected victims.
It affects Excel 2002, 2003, 2007 and all supported versions of Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack. Mac users are also in danger, as the vulnerability affects Excel 2004 for Mac, Microsoft Office 2008 for Mac and Open XML File Format Converter for Mac. More details are available in Microsoft’s bulletin.
The first and easiest solution is to avoid opening Excel files sent by e-mail.
Users should also implement the update, which changes the way that Excel parses malicious Excel files, Microsoft said.
Reviving Older Problems
On Tuesday, Microsoft also rereleased Security Bulletin MS 09-033, first released in July 2009. This addresses vulnerabilities in Virtual PC and Virtual Server that could let attackers elevate system privileges.
It affects all supported editions of Virtual PC 2004, Virtual PC 2007 and Virtual Server 2005.
“This shows that companies have to include their virtualized operating systems in their normal patching procedures, and that they might have to do additional work on virtualized machines,” Qualys’ Kandek said.
Microsoft has also revived the security bulletin on the Win32/Helpud Trojan. This is a family of Trojans that steals login information for popular online games. Users need to set up a firewall on their PCs; update their software, including antivirus applications; and be careful when opening attachments, accepting file transfers and clicking on links to Web pages, Microsoft said.
Microsoft is also keeping an eye on a VBScript vulnerability impacting Windows 2000, Windows XP and Windows Server 2003 through the use of IE.
This allows remote Web execution. It does not impact Windows 7, Windows Server 2008 Release 2, Windows Server 2008 or Windows Vista.
Why IE Again?
How is it that another invalid pointer reference cropped up in IE 6? Didn’t Microsoft already patch the one that led to the Google hack?
Yes it did, but browsers are huge, very complex applications. “It’s impossible to completely prevent all vulnerabilities during software development,” Microsoft’s Bryant pointed out.
“A piece of software like IE likely contains 2 to 4 million lines of code,” Paul Judge, chief research officer at Barracuda Networks, told TechNewsWorld. “It’s quite likely that this one fix was not the lone programming mistake that could result in an invalid pointer reference.”
It’s time to move from the outdated IE6 to IE8, Qualys’ Kandek said.
“The fact that IE8 is not vulnerable really underscores the need to migrate to newer, more robust technologies, as newer browsers have implemented many additional security features that are not found in older ones,” he said.