Microsoft said on Thursday that it will offer six updates for 12 vulnerabilities next week including a critical hole in Internet Explorer that affects Windows 7 and other current versions of the operating system for which exploit code has been released.
Late last month, Microsoft said it was investigating an IE vulnerability after someone released proof-of-concept code affecting IE 6 and IE 7 that could be used to take control of computers.
Microsoft described the problem in an advisory issued November 23: "The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."
Of the six updates Microsoft will release on Patch Tuesday, three of them are critical, according to a Microsoft security bulletin advance notification.
Software affected includes Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, and Office 2003.
Microsoft said on Thursday it will issue six patches next week for 15 vulnerabilities, including three critical bulletins affecting Windows and two important Office-related bulletins.
Affected software includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, the company said in an advisory.
November's Patch Tuesday is a contrast to the record number of fixes issued last month--13 bulletins for 34 vulnerabilities.
Updated 2:52 p.m. PST to correct that there will be six patches fixing 15 vulnerabilities.
Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).
The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.
Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.
The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.
Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.
Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.
The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.
"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.
Related "For the Record" podcast, with Symantec's Ben Greenbaum
Listen now:
Download today's podcast
Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.
The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.
Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.
Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.
"The sheer volume of the bulletins and patches is extreme," said Jason Miller, senior data team leader for Shavlik Technologies. "This is really going to affect administrators. It's going to be very challenging because of the time and research that's going to be needed" to patch systems.
Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.
The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.
Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.
The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.
(For more information and analysis from Symantec, listen to my colleague Larry Magid's podcast.)
Update: This story was updated at 2:15 p.m. PDT with additional comment and at 11:47 a.m. PDT with more details and reaction from experts.
Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
This is the error message on the Norton support Web site after users reported that the patch failed to install properly.
(Credit: Symantec)Symantec is providing a fix for customers who got error messages after a patch deployment went awry for some Norton users, the company said on Tuesday.
The problem started last Wednesday when Symantec deployed patches for Norton AntiVirus 2009, Norton Internet Security 2009, and Norton 360 v3 via LiveUpdate. Some customers received error messages saying that there was a problem with the Symantec Service Framework.
The patch, which is supposed to communicate with the hardware to ensure that it is correctly installed, did not handle the response from the hardware properly after it was installed, a company spokeswoman said.
The problem affected a small number of users, or fewer than 1 percent, and most of the customers reporting a problem are using PCs that have been specially configured or customized and are not "out-of-the-box" PCs and "only after reboot," the spokeswoman said.
There were more than 630 messages on the Norton user forum about the topic, a number of which expressed frustration with Symantec and accused the company of not doing enough to keep customers informed about the problem.
"This is insane. I'm looking for other antivirus options now and will soon remove Norton from all three of my machines. Next I'm going to post a review on Epinions advising others to stay far away," wrote one user. "This is garbage and I've had more than enough."
Another user wrote: "Well I just used the Norton Removal Tool for likely the last time. When the browser window with the Norton reinstallation instructions popped up, I chuckled as I closed it out and navigated to a competitor site were I promptly downloaded another AV product."
The company first learned of the problem from posts to the forum last Wednesday and posted messages the next day saying it was investigating the problem. It then provided an official response on Friday saying the problem had been identified, according to the spokeswoman. The fix was posted on Symantec's knowledge base and the forum on Saturday, she said.
Symantec customers can visit this Symantec page to download the fix.
Symantec also set up a link on Tuesday through Microsoft WinQual to help users locate a fix and will make the fix available to customers automatically via LiveUpdate this week, according to the spokeswoman.
The problem comes less than six months after Symantec released a diagnostic patch for some of its older Norton products that did not identify its origin and thus triggered alerts on firewalls. The company blamed human error for the release of the unsigned patch, a program dubbed "PFST.exe."
Microsoft will issue fixes for five critical holes affecting Windows and a variety of other software on Patch Tuesday next week.
The critical holes, which could allow an attacker to remotely run code on a PC and take control of it, affect Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008, Windows Client for the Mac, Office 2000, XP and 2003, Microsoft Office Small Business Accounting 2006, Visual Studio .NET 2003, Microsoft Internet Security and Acceleration Server 2004 and 2006, and BizTalk Server 2002, according to a Microsoft security advisory released on Thursday.
Four additional vulnerabilities, rated "important," affect Windows and Windows .NET Framework and could allow an attacker to remotely execute code, launch a denial-of-service attack or elevate system privileges, the company said.
Microsoft on Tuesday issued patches to fix critical vulnerabilities in DirectShow and Video ActiveX that have been targeted in attacks, as well as fixes for holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of the PC.
Overall, the six "Patch Tuesday" updates fix nine vulnerabilities in Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC, and Virtual Server.
The three DirectShow vulnerabilities could allow an attacker to remotely run code on the machine if a user opened a specially crafted QuickTime file. Microsoft warned of exploits against one of the holes in May.
The fix for the ActiveX control addresses a vulnerability that could allow remote code execution if someone viewed a malicious Web page via Internet Explorer using the ActiveX control. Microsoft offered a workaround for the hole last week.
Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, and Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1, and 9.0.
The noncritical updates, rated "important," affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.
In addition, Microsoft updated its Malicious Software Removal Tool (downloadable here) to remove the Win32/FakeSpypro rogue security program designed to trick people into paying for alleged security software they don't need.
Meanwhile, a comprehensive update for the Office Web Components vulnerability affecting Excel, which the company said on Monday was being exploited in attacks, was not yet ready for broad distribution, according to Microsoft. The company is urging customers to apply the automatic "Fix It" workaround, provided in Knowledge Base Article 973472.
Mozilla has fixed a number of security holes and made some stability improvements to the public version of Firefox. Available for Windows, Mac, and Linux, Firefox 3.0.11 also addresses a specific bug that would corrupt a user's bookmarks database.
According to the Bugzilla report, the corrupted bookmark database was the most common bug reported via Live Chat and in the Firefox support forum.
The security patches in v3.0.11 fix a hole in a JavaScript chrome execution along with other arbitrary code executions, URL spoofing, and memory corruption. The full list of security fixes can be read here, and the release notes are available here.
Updated at 2:20 p.m. PDT with Adobe update released; at 12:25 p.m. PDT with Microsoft saying this is a record number of vulnerabilities addressed in Patch Tuesday; and at 11:45 a.m. PDT with comment.
Microsoft has released 10 security updates fixing a record number of Patch Tuesday holes, including one for a critical hole in Internet Explorer 8 that was exploited as part of a hacking contest at CanSecWest in March.
The bulletin addresses 31 vulnerabilities. "It's the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003," a Microsoft spokesman said.
The June security Patch Tuesday bulletin resolves eight vulnerabilities in IE, the more severe of which could allow remote code execution if a user views a specially crafted Web page. The IE8 vulnerability does not affect Windows 7 RC (build 7100), but does affect Windows 7 beta.
The updates also plug two critical holes in implementations of Active Directory on Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode installed on Windows XP Professional and Server 2003, the worse of which could allow an attacker to take control of a system remotely.
The security update fixes three critical vulnerabilities in Windows Print Spooler that could allow remote code execution if an affected server received a specially crafted RPC (remote procedure call) request.
Several vulnerabilities in Office Word and Excel are addressed in the update that could allow an attacker to remotely run code or take control of the machine using a specially crafted Word or Excel file. The update fixes the PowerPoint vulnerability Microsoft warned in April was being exploited in limited, targeted attacks that was fixed in the Windows version last month.
The update includes a patch for an important hole in its IIS Web server product that Microsoft reported in May.
"We didn't see any in-the-wild exploitations of the (IIS WebDav) vulnerability but typically when Microsoft releases those alerts they're doing it because a customer" has alerted them to an exploit, said Steve Manzuik, senior manager of security research at Juniper Networks.
Also fixed is a critical vulnerability in Microsoft Works Converters, important vulnerabilities in RPC and Windows Kernel. And Microsoft fixed a moderate vulnerability in Windows Search that could allow information disclosure if a user performs a search that returns a specially crafted file as the first result, or if the user previews a malicious file from the search results. By default, the Windows Search component is not preinstalled on Windows XP and Server 2003.
Products affected by the updates include Windows 2000, XP, XP Professional edition, Vista, Server 2003, Server 2008; Office 2000, 2003, 2007, and XP; and Microsoft Office 2004 and 2008 for the Mac.
Other affected software includes Office Excel Viewer; Office Word Viewer; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Works 8.5 and 9.0; and Office SharePoint Server.
The updates did not include a fix for a vulnerability in Microsoft's DirectX streaming media technology in Windows disclosed late last month that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
"They probably didn't have time to QA (quality assurance test) it adequately," said Wolfgang Kandek, chief technology officer at Qualys. "It doesn't surprise me because look at how many vulnerabilities they had in this release. It must have been an enormous workload for these teams to fix all of these."
Adobe also issued security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday in its first quarterly security update for its popular software for creating and reading PDF files.
The updates, available from Adobe's site, resolve critical vulnerabilities in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions that could cause the application to crash and could potentially allow an attacker to take control of the system.
