Patch Tuesday Analysis for July 2005

Today is "Patch Tuesday" and Microsoft released 3 security bulletins - all of them classified as critical. The one I view most dangerous is MS05-036 - Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214). (http://tinyurl.com/8ba96) All versions of Windows have this vulnerability, there are no work-arounds, it allows arbitrary code execution and can be exploited by any method where the attacker can get a user to open or view an image such as from a web page or even previewing an email message. While this vulnerability doesn't appear to have been widely known about prior to today, Microsoft does report that there have been instances of it being exploited in recent attacks. I expect the bad guys are already hard at work building this new infection vector into the next big worm. Because of the omnipresence, fairly low prerequisites and lack of work-arounds this is a bad one folks. The good news is that you can install this update using any of Microsoft's update technologies including the Microsoft Update service, Software Update Services (SUS), Windows Server Update Services (WSUS) or Systems Management Server (SMS).  If you manage more than a few systems and aren't already using WSUS, you are falling behind. You can scan for vulnerable installations with MBSA 1.2.1 and 2.0.

It's a toss-up between the other 2 bulletins as to which is worse. MS05-037 - Vulnerability in JView Profiler Could Allow Remote Code Execution (903235) (http://tinyurl.com/7pbyx) only affects systems that have a COM object, the JView Profiler (javaprxy.dll), installed which isn't common on servers or end-user workstations even if you have the java virtual machine and java applications installed. Like the other 2 bulletins released today, this one opens a way for an attacker to run arbitrary code under the authority of the user. Making the situation worse, the bad guys have known about this vulnerability for some time and Microsoft reports that attackers have been exploiting it already. JView Profiler is a debugging interface to the MS Java Virtual Machine. To determine if your systems are vulnerable you can download the Diagnostic Tool for the Microsoft VM and scan your network for the presence of javaprxy.dll. This shouldn't be a vulnerability for most email client installations since Outlook and others default to displaying html emails under the restricted sites zone which prevents ActiveX controls from running however an attacker could target users by sending an email with a link back to a malicious web page that exploits the JView Profiler. If you are concerned about systems that may be vulnerable but would like to avoid installing the update or wish to mitigate the risk while testing the update, there are 2 work-arounds that can be easily implemented through group policy. You can either deploy a policy that sets a permission on %windir%\system32\javaprxy.dll that denies Everyone Read & Execute access or you can create a Software Restriction policy that prevents the dll from loading. The update for this vulnerability can be installed via Microsoft Update, SUS, WSUS and SMS. You can scan for vulnerable installations with MBSA 1.2.1 and 2.0.

The third bulletin, MS05-035 Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) (http://tinyurl.com/b2fe2), details a vulnerability in Microsoft Word 2000, Word 2002 (part of Office XP) and, for what it's worth, Microsoft Works Suite 2000-2004. The vulnerability exploits a buffer overflow in Word's font parsing logic that allows the attacker who creates a specially crafted Word document to run arbitrary code under the user's authority. There are any good work-arounds for mitigating this threat. Microsoft's recommendation to only open Word attachments from trusted senders doesn't take into account the problem of viruses and worms that propagate via a victim's address book. For Windows 2002 (Office XP) you can deploy this update via the Microsoft Update service, WSUS and SMS but not through SUS. You can use MBSA 2.0 to scan your network for vulnerable Windows 2002 installations but MBSA 2.0 doesn't support Word 2000. To detect vulnerable Word 2000 installations you can use MBSA 1.2.1 locally or you scan many systems automatically using the Office Detection Tool (ODT) and a simple script. See my article at http://www.windowsitpro.com/Article/ArticleID/46623/46623.html.

In summary, the color management vulnerability update needs to be deployed to all workstations ASAP. If you follow best practice and avoid viewing email, web pages or content from any untrusted source while logged on at a server interactively or through Terminal Services/Remote Desktop you may choose to defer deploying this update to servers until you are satisfied it doesn't introduce any stability or compatibility problems. As far as the Java and Word vulnerabilities, determine which systems if any are vulnerable. For systems vulnerable to the Java Profiler exploit, you can put off deploying the update by implementing one of the work-arounds. But systems with Word 2000 or Word 2002 definitely need the font parser update as soon as possible.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS05-036

901214
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/YesNoCritical Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
If you follow best practice and avoid viewing email, web pages or content from any untrusted source while logged on at a server interactively or through Terminal Services/Remote Desktop you may choose to defer deploying this update to servers until you are satisfied it doesn't introduce any stability or compatibility problems.For systems vulnerable to the Java Profiler exploit, you can put off deploying the update by implementing one of the work-arounds. But systems with Word 2000 or Word 2002 definitely need the font parser update as soon as possible.
MS05-037

903235
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/YesYesCritical XP
Server 2003
Internet Explorer
Windows Millennium
Win98
NoneIn summary, the color management vulnerability update needs to be deployed to all workstations ASAP. If you follow best practice and avoid viewing email, web pages or content from any untrusted source while logged on at a server interactively or through Terminal Services/Remote Desktop you may choose to defer deploying this update to servers until you are satisfied it doesn't introduce any stability or compatibility problems. As far as the Java and Word vulnerabilities, determine which systems if any are vulnerable. For systems vulnerable to the Java Profiler exploit, you can put off deploying the update by implementing one of the work-arounds. But systems with Word 2000 or Word 2002 definitely need the font parser update as soon as possible.
MS05-035

903672
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office 2002
This bulletin replaces the MS05-023 security update.Microsoft recommends installing this update at the earliest oppurtunity.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.