Windows’ Gaping, Seven Month Hole

Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.

But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.

So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”

Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”

News: Microsoft Realises Patches Don’t Work Shock

 From the About Time Dept comes news that Microsoft realises the whole ‘issue a patch to cover a hole, knowing only a few people actually download it’ approach may be, er, flawed. CNET reports that Microsoft plans next week to outline a new security effort focused on what the company calls “securing the perimeter”. Details are thin, but appear to involve a deeper relationship with firewall providers.
 
Watch this space. My tupennies’ worth: The Windows Update process, where your computer tells you what’s new and what needs downloading, is actually not bad. But the wordings of the messages are too nerdy, and there’s no easy way to compare what you have installed on your computer to the most salient threats. Tell the user what the problem is and what needs fixing. Give the patches names or numbers we can understand. Oh, and write better software.

News: Beware Of Patches That Don’t Patch

 From the This Doesn’t Inspire Confidence Dept comes news that a patch recently released by Microsoft to fix a critical security vulnerability in its Internet Explorer browser does not work, according to security experts. CNET says that the vulnerability was discovered by eEye Digital Security around four months ago. The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code.
 
Two patches have since been released, but, according to eEye, neither fixes the vulnerability it is supposed to. If you’re worried, disable active scripting in your browser until Microsoft updates the patch. (Go to Tools/Options/Security/Custom Level, and then scroll down until you get to Active Scripting.)

News: A Patch In Time Saves You Online

 This from the guys at Information Security Magazine, a warning about some new, and serious vulnerabilities in Microsoft software. The most critical vulnerability is titled ?Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution? (MS 03037). Microsoft provided few details about the actual vulnerability, but says the flaw is dangerous and users of affected software should apply patches immediately. This is not just for techheads and sysops: Affected software includes Access (97/2000/2002), Excel (97/2000/2002), PowerPoint (97/2000/2002), Project (2000/2002), Publisher 2002, Visio
(2000/2002), Word (97/98(J)/2000/2002), Works Suite (2001/2002/2003) and several versions of Microsoft Business solutions.
 
There are other vulnerabilities too:
?Flaw in Word Could Enable Macros to Run Automatically? (MS 03035)
?Buffer Overrun in WordPerfect Converter Could Allow Code Execution? (MS 03036)
?Unchecked Buffer Overflow in Microsoft Access Snapshot Viewer Could Allow Code Execution? (MS 03038)
?Flaw in NetBIOS Could Lead to Information Disclosure? (MS 03034)
 
If we’ve learned nothing in the past month, we should have at least learned to patch, patch and keep patching.

Update: Microsoft May Stop Footing Pussies

 Security Wire Digest, published by Information Security Magazine, reports that Microsoft may stop pussyfooting around on updates to its Windows operating system. In the wake of the worm that ripped through networks worldwide by exploiting a vulnerability for which a patch had been released more than three weeks before, the company is considering several plans to beef up security in its products which may automatically install patches on PCs.
 
 
Privacy advocates will have a problem with this, but it’s logical. Most folk don’t update properly, or even know they’re supposed to, although I wonder whether it may leave Microsoft vulnerable legally. It’s tantamount to saying ‘what we’re selling you isn’t safe unless you let us keep patching it.’

Update: Beware Worms Carrying Gifts

 You’re probably heard of the computer worm that is seemingly benign: W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm, deletes it, attempts to download the patch from Microsoft’s Windows Update Web site to correct the hole that allowed the worm in the first place, installs the patch, and then reboots the computer. All very nice, on the surface. But then the worm checks for active machines to infect by sending an ICMP echo, or PING, which generates a lot of traffic. That’s where the problem starts.
 
Symantec says it’s been receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP flooding related to the propagation of the W32.Welchia.worm. (Read: large amounts of unnecessary traffic that slows networks to a crawl.) In some cases enterprise users have been unable to access critical network resources. ”Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” said Vincent Weafer, senior director, Symantec Security Response. 
 
In large corporations it will take weeks, maybe months to install the original patch. With all this traffic on their networks, Symantec says, those patches can’t be installed. What to do if you’re infected with the W32.Welchia.Worm?  Symantec has posted a removal tool. Use it. There’s no such thing as a nice worm.