Microsoft Issues 3 Patches; IE Fix Delayed
UPDATE: First major patch of the year includes three big fixes, but five 'extremely critical' holes in Internet Explorer are pending.
Microsoft on Tuesday issued three security bulletins in order to fix vulnerabilities in its ISA Server 2000, Exchange Server 2003 and Windows products as part of its once-a-month schedule for patches.
But it also had to delay issuing a patch for a flaw in the Internet Explorer (IE) browser, which was publicized over a month ago.
A third advisory and patch for a flaw with an "important" rating was issued for Windows with a warning that the flaw could leave users open to arbitrary code execution.
Stephen Toulouse, program manager at Microsoft's security response center, declined to say why the IE patch was not issued in the company's patch schedule this time around.
"The release [of a patch] requires a balance between time and testing. We'll only release a patch when it's well-engineered and thoroughly tested," he told internetnews.com.
In November of 2003, Chinese security researcher Liu Die Yu released details of five serious IE vulnerabilities that could lead to system takeover, exposure of sensitive information, cross-site scripting and security bypass.
Yu also circulated proof-of-concept exploits on several mailing lists, warning that IE versions 5.0, 5.5 and 6.0 were susceptible to the vulnerabilities. At the time, independent security consultant Secunia rated the bugs as 'extremely critical.'
Although the patch was expected as part of the January release, Microsoft held off. "We are taking that very seriously and we're proceeding with our investigations," Toulouse explained. He also stressed that getting the patch right was key.
"An incomplete patch can be worse than no patch at all. Especially if a faulty patch only ends up serving to alert malicious attackers to the issue," Toulouse added.
He said a cumulative patch for IE represented a unique challenge for patch programmers because the browser was deployed in numerous versions, languages and on multiple operating systems. "Internet Explorer is available in five versions. Now, multiply that times all the supported languages and the different operating systems and you'll find that we have to create about 500-odd patches that have to go through a very strict testing process."
But Jupiter Research analyst Joe Wilcox said he believes the company had enough time to get a patch ready. "One and a half months seem like a very long time to test a patch for a potentially critical update that is already public. The key here is that the info is already public and if you look at what happened with the blaster worm, the patch was made available in July  and, in less than a month, the exploit was unleashed on the Internet," Wilcox told internetnews.com.(Jupiter Research and this publication are owned by the same parent company.)
"If they're treating [Yu's] November vulnerability as critical, then the amount of time to test a patch surprises me. If they're viewing this as a non-threatening problem, then the amount of time isn't a serious consideration," Wilcox added.
Toulouse said the process needs to be engineered properly. "We want to make sure we have a proper patch available for all the languages and all the versions of IE. You can't fix one language and not fix another. We're in a deep investigation on it and I want to make it clear we absolutely take that report very seriously and we're going to take the appropriate action to protect our customers."
Microsoft also issued a re-release of a patch first issued in October to correct a problem in the Thai, Hebrew and Arabic versions of the original release, one that was rated "important" in the company's ratings system. That patch, which has been tweaked several times, fixes a vulnerability in the ListBox control and the ComboBox control that contains a buffer overrun.
The first advisory for 2004 covers a security vulnerability H.323 filter for Microsoft Internet Security and Acceleration Server 2000 that could allow an attacker to overflow a buffer in the Microsoft Firewall Service. "An attacker who successfully exploited this vulnerability could try to run code of their choice in the security context of the Microsoft Firewall Service. This would give the attacker complete control over the system," the company warned.
The flaw in the H.323 protocol has also put users of VoIP products from Cisco and Hewlett Packard at risk.
Microsoft also issued a fix for a buffer overflow flaw in the data access component (MDAC), the code that connects users in a database environment. In this case, one of the MDAC components could be compromised when a user tries to find out who else is using SQL Server on the network, by broadcasting a request. An attacker could respond to this request by sending a packet that causes a buffer overflow in the MDAC component, giving them the same privileges as the user who initially made the request.
The flaw is not considered critical by Microsoft security experts
because the attacker has to first be on the same subnet
"If the program ran with limited privileges, an attacker would be limited accordingly," the security advisory stated. "However, if the program ran under the local system context, the attacker would have the same level of permissions."
The vulnerability affects MDAC 2.5 and 2.6 in Windows 2000 and SQL Server 2000, MDAC 2.7 in Windows XP and MDAC 2.8 in Windows Server 2003, both the 32- and 64-bit versions. This is the second time in recent months that Microsoft has needed to patch its MDAC; in August, an identical flaw was reported affecting MDAC 2.5, 2.6 and 2.7, though it didn't affect version 2.8.
On Tuesday, a third patch for Exchange Server 2003 was also released to fix a privilege escalation issue with front-end servers that are running Outlook Web Access for Exchange Server 2003.
Patches and more information on the January patches are available here.