Patch Tuesday Analysis for August 2005

Whew! 6 bulletins and a lot of research to do. Combine that with canceled flights and losing my phone/PDA and I end up missing my self imposed update for this commentary. Thank you for your patience.

This month you have quite a few decisions to make regarding which updates need to be rolled out to both workstation and servers. As always one of the key issues I consider when analyzing these bulletins is assessing under which circumstances it's necessary to install the associated update. Withholding updates from systems where it is safe to do so can save a lot work associated with testing and deployment as well as reduce threats to stability by defective updates. You may decide to withhold some of these updates for certain systems based on the issues I highlight below. This month really highlights the benefit of implementing XP SP2 and Windows Server 2003. These two versions are the first versions and the first real products of Trustworthy Computing and while I've not been assimilated by Redmond I believe in giving credit when it's due. Also, this month also demonstrates the benefits of attack surface reduction (e.g. disabling unneeded services) that I've been preaching for years. Attack surface reduction may eliminate the need to install half of these updates on certain systems that don't have print, use telephony or the remote desktop protocol.

MS05-038 - Cumulative Security Update for Internet Explorer (896727)

This update fixes several new vulnerabilities with Internet Explorer and email clients like Outlook and Outlook Express, which use IE to render HTML. The vulnerabilities allow a remote (semi-passive) attacker to execute arbitrary code under the authority of the user. Bottom line: I see no choice for user workstation and Terminal Servers that have access to the Internet but to install this update as soon as possible. The published work-arounds either break highly used features of IE or rely on end-users to make security decisions. For servers you can avoid installing this update if you can ensure that administrators do not or cannot read email and browse the Web from the server. The vulnerabilities rely on maliciously coded web pages or email content. Microsoft says a mitigating factor with IE vulnerabilities like this are that user would have to be lured to a malicious site or a legitimate site that had been compromised by the attacker. However, don't forget that many sites such as ebay allow users to post html and images to dynamically created pages which isn't quite the same thing as a hacked site. Therefore html and image based vulnerabilities like those in this update shouldn't be viewed as "theoretical" or as an "out-side chance". For most organizations I recommend installing this update to workstations but not to servers, especially since it requires a restart. If you choose not to install this update to servers you must ensure that administrators do not browse the web or read email from an interactive logon at a server which is already an established best practice. There are some possible collision issues with other hotfixes you may have loaded so be sure to read the "Security Update Information" for this update.

MS05-039 - Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)

If your workstations are XP SP 2 and servers Windows Server 2003 SP 1, you can probably relax, this vulnerability can only be executed by users logged on locally. Provided server logons are limited to administrators it's not really an issue since administrators are already all powerful. So at worst an end user could grab administrator authority of his workstation. If you have an advanced workstation security model in which end-users do not hold administrator authority, you may be concerned about this vulnerability but keep in mind that there are no reports of proof-of-concept code being published as of this time.

If your workstations are XP SP1 you are vulnerable to remote attacks but only if by authenticated users who can access TCP ports 139 or 445. To avoid installing this update for XP SP1 computers consider using IP Security Policy to block access to those ports from all source IP addresses except computers that have legitimate reason to access the workstation remotely such as SMS servers and workstation support staff. If there's no need to access XP SP1 systems remotely for support or management you can also just enable Internet Connection Firewall and don't allow exceptions for these ports. This vulnerability can be exploited by remote, anonymous attackers Windows 2000. For Windows 2000 workstations, to avoid installing this update consider the same suggestions indicated for XP SP1. For Windows Server 2000 I see no alternative but to recommend loading the update. This update does require a restart.

MS05-043 - Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)

The bottom line with this vulnerability is that you should install it on any computer that has shared printers or uses shared printers. Evidently this vulnerability doesn't affect computers that have locally attached printers that are not shared or network printers that you directly print to - not through a Windows share. (I haven't yet received confirmation on this point but that is what all documentation indicates.) The risk to XP SP2 and Windows Server 2003 is limited to denial of service but back level systems could sustain arbitrary, remote code execution and privilege escalation.

MS05-040 - Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)

This is mainly a server vulnerability; on Windows 2000 and XP risk is limited to local privilege escalation which will mostly concern those maintaining an advanced secure workstation model where end-users lack local administrator authority. See considerations in my commentary for MS05-039. Windows 2000 Server and Windows Server 2003 are only vulnerable if the Telephony service is started. Disabling this service eliminates the risk but will break RRAS and other applications like fax and voice mail servers. Bottom line: I recommend installing this patch on servers that actually require the Telephony service and disabling the Telephony service on other servers. This vulnerability highlights the benefit of attack surface reduction through disabling unneeded services and features.

MS05-041 - Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)

This vulnerability is limited to denial of service and does not affect systems unless Terminal Services, Remote Desktop or Remote Assistance is used which enables incoming RDP connections. Systems with the Terminal Services service disabled are immune. While it affects both servers and workstations (Windows 2000, XP and 2003) you should weigh the likelihood and impact of this vulnerability being exploited against your systems. Some administrators may choose to limit rollout of this update to Terminal Services servers that deliver end-user remote desktop functionality and any servers that expose port 3389 to the Internet. Consider protecting computers that accept RDP connections with and IP Security Policy. See my article at http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/20288/20288html for details.

MS05-042 - Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)

This vulnerability only affects domain controllers (both Windows 2000 Server and Windows Server 2003). Unless you are using smart cards for interactive logons the risk is limited to denial of service against domain controllers. A denial of service attack against domain controllers would affect all users and systems on the network. If you are using smart cards for interactive logons then you are exposed to the PKINIT vulnerability of this bulletin which is much more serious; the risks include information disclosure and spoofing of domain controllers or servers. Note that this update includes a new feature to protect against other PKINIT vulnerabilities which requires all workstations (2000 and XP) to be updated as well. Bottom line: Since this vulnerability could cause an outage for your entire Windows network you should update your domain controllers after testing and monitoring for any problems discovered by those on the bleeding edge. I definitely recommend installing this update if you are using smart cards and that you enable the new RequireAsChecksum feature but carefully read the information regarding deployment sequence and configuration of this setting so that workstations are not inadvertently denied access to the domain.

As you can see this month really highlights the benefit of implementing XP SP2 and Windows Server 2003. These two versions are the first versions and the first real products of Trustworthy Computing and while I've not been assimilated by Redmond I believe in giving credit when it's due. Also, this month also demonstrates the benefits of attack surface reduction (e.g. disabling unneeded services) that I've been preaching for years. Attack surface reduction may eliminate the need to install half of these updates on certain systems that don't have print, use telephony or the remote desktop protocol.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS05-040

893756
Arbitrary code

/ Windows
Workstations
Terminal Servers
Servers
No/NoYesImportant Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
Windows 2000 Server and Windows Server 2003 are only vulnerable if the Telephony service is started.I recommend installing this patch on servers that actually require the Telephony service and disabling the Telephony service on other servers.
MS05-043

896423
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
NoneThe bottom line with this vulnerability is that you should install it on any computer that has shared printers or uses shared printers.
MS05-038

896727
Arbitrary code
Information disclosure

/ IE
Workstations
Terminal Servers
Servers
Yes/NoNoCritical Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Internet Explorer
Windows Millennium
Win98
If you choose not to install this update to servers you must ensure that administrators do not browse the web or read email from an interactive logon at a server which is already an established best practice. There are some possible collision issues with other hotfixes you may have loaded so be sure to read the "Security Update Information" for this update.For most organizations I recommend installing this update to workstations but not to servers, especially since it requires a restart.
MS05-042

899587
Denial of service
Information disclosure
Spoofing

/ Windows
Domain Controllers
Yes/NoNoModerate Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
Since this vulnerability could cause an outage for your entire Windows network you should update your domain controllers after testing and monitoring for any problems discovered by those on the bleeding edge.I definitely recommend installing this update if you are using smart cards and that you enable the new RequireAsChecksum feature but carefully read the information regarding deployment sequence and configuration of this setting so that workstations are not inadvertently denied access to the domain.
MS05-039

899588
Arbitrary code
Privilege elevation

/ Windows
Workstations
Terminal Servers
Servers
No/NoYesCritical Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
NoneTo avoid installing this update for XP SP1 computers consider using IP Security Policy to block access to those ports from all source IP addresses except computers that have legitimate reason to access the workstation remotely such as SMS servers and workstation support staff. If there's no need to access XP SP1 systems remotely for support or management you can also just enable Internet Connection Firewall and don't allow exceptions for these ports. This vulnerability can be exploited by remote, anonymous attackers Windows 2000. For Windows 2000 workstations, to avoid installing this update consider the same suggestions indicated for XP SP1. For Windows Server 2000 I see no alternative but to recommend loading the update. This update does require a restart.
MS05-041

899591
Denial of service

/ Windows RDP
Workstations
Terminal Servers
Servers
No/NoNoModerate Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
Consider protecting computers that accept RDP connections with and IP Security Policy. Some administrators may choose to limit rollout of this update to Terminal Services servers that deliver end-user remote desktop functionality and any servers that expose port 3389 to the Internet.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.