Patch Analysis for November 2005

Just one patch this month but it's important for workstations and terminal servers.  

MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)

This critical bulletin addresses remote code, root privilege and denial of service risks but it mostly a workstation issue.  The patch actually fixes 3 different vulnerabilities that all reside in the same files.  At least one of the 3 security holes expose Windows XP SP2 and 2003 SP1 to critical risk but the general trend holds true that vulnerabilities being discovered have less impact on these 2 latest versions of Windows.  Getting your system upgraded to these 2 baselines will definitely pay off.

To exploit these vulnerabilities a user must open a specially crafted WMF (Windows Meta File) or EMF (Enhanced Meta File).  WMF and EMF files are image file formats designed for optimization on Windows systems.  Therefore this patch is very important on workstations and terminal servers running in application mode.  Provided you practice safe administration when logged on to normal servers you may well choose to defer installing this patch on servers like domain controllers, file, application and database servers.  Safe administration means not browsing the web or opening application documents or other files that might have come from the web. 

The more less you do interactively on a server the better. In fact the highest form isolating servers from interactive and local execution risks like those in this patch is to implement a Terminal Services Administration Point (TSAP).  With a TSAP you avoid 2 pitfalls simultaneously: using admin privileges at your workstation as well as eliminating the server risks related to interactive logons and local execution.  In my Complete Windows Security course I show you how to setup a TSAP between your workstation and servers for the best of all worlds.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
MS severity ratingProducts AffectedNotesRandy's recommendation

Arbitrary code

/ Windows
Terminal Servers
Yes/NoNoCritical Win2000
Server 2003
Small Business Server 2003
Small Business Server 2000
Getting your system upgraded to these 2 baselines will definitely pay off.Therefore this patch is very important on workstations and terminal servers running in application mode.

Receive Randy's same-day, independent analysis each Patch Tuesday

We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.


Additional Resources