Microsoft plugs Windows worm holes

The majority of the vulnerabilities addressed in nine security bulletins from Microsoft require some user interaction for an attack to succeed. That means an attacker would have to trick people into visiting a malicious Web site, clicking on a bad link or opening a malformed file to exploit the security holes.

However, the vulnerabilities rated "critical" may allow a system to be compromised remotely without any user interaction. One such flaw, described in Microsoft's MS05-051 security bulletin, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

"It is a remote system vulnerability that could very easily be turned into a worm," said Marc Maiffret, the chief hacking officer at security specialist eEye Digital Security. "It is very similar to the vulnerability two months ago that resulted in the Zotob worm."

The MSDTC buffer overflow flaw primarily affects computers running Windows 2000. Depending on configuration, it could also be used against a computer with Windows XP with Service Pack 1 or Windows Server 2003, Microsoft said in its advisory.

"Among the critical updates, customers who run older versions of the operating system such as Windows 2000 should prioritize MS05-051 for deployment on those systems," said Stephen Toulouse, a program manager in Microsoft's Security Response Center.

The MS05-051 update also fixes three other bugs in Windows, but these carry varying risk ratings, depending on the operating system. One, deemed critical, is a flaw in a Windows component that handles resource management tasks, called COM+. This security hole is also found in Windows 2000 and Windows XP SP1.

People who run older versions of the operating system are more at risk from the MSTDC and COM+ vulnerabilities, Toulouse said. That goes for the rest of the rest of the 14 flaws tackled by the patches issued Tuesday.

"In general, many of these bulletins have a lower impact in terms of severity and are much more difficult to exploit on newer operating systems such as Windows XP SP2 and Windows Server 2003 SP1," Toulouse said.

Despite being put on the back burner by Microsoft, the older Windows 2000 is still popular among corporations..

Both the MSDTC and COM+ flaws were privately reported to Microsoft by researchers following the company's "responsible disclosure" practices. The software giant said it is not aware of any attacks that exploit the flaws.

Maiffret of eEye said he believes it will be only a matter of days for the first attack code to surface. "There is no technical challenge in writing a worm for the (MSDTC) vulnerability. It really depends if somebody decides to or not," he said. Microsoft's Toulouse said the software giant will be watching for malicious software.

Other risks
Microsoft has labeled two other security alerts as critical. One patch, delivered in MS05-050, fixes a problem in software for streaming media in Windows, called DirectShow. The other, in MS05-052, repairs problems in Internet Explorer similar to those patched in July and August.

The streaming media flaw affects all current versions of Windows. An attacker could exploit the flaw using a malformed media file, Microsoft said. A computer could be compromised when the user opened the file or visited a Web page that hosts the file.

The IE patch cuts links between the browser and other pieces of Microsoft software. The Web browser can inappropriately call on other Windows components, potentially allowing an intruder to commandeer a Windows PC, Microsoft said. The French Security Incident Response Team alerted Microsoft to one of these issues.

Of its six remaining security bulletins, Microsoft tagged four "important"--one notch below critical. These address vulnerabilities in various parts of Windows. One, MS05-048, affects Windows as well as Exchange, Microsoft's e-mail server software, and deals with a component that processes e-mail messages.

Another "important" update aims to repair a problem related to plug-and-play in Windows 2000 and Windows XP. The issue, outlined in MS05-047, cannot be exploited remotely by unauthenticated users, according to Microsoft.

A bug in the same component led two months ago to the spread of the Zotob worm, which took down systems across the United States, including those at cable news station CNN, television network ABC and The New York Times.

Also deemed "important" were bulletin MS05-049, on three vulnerabilities in how Windows deals with certain files and characters, and bulletin MS05-046, which involves a software component that supports Novell NetWare networks.

The last two alerts were given a "moderate" risk rating. One describes an issue with the Network Connection Manager in the 2000, XP and Server 2003 versions of Windows that could cause a system to crash. The update to patch it is delivered in bulletin MS05-045. The other is on a flaw in the Windows FTP client that could allow an attacker to change the location of a file transfer by hosting a malformed file on an FTP server.

Users of Microsoft patching mechanisms, such as Windows Automatic Updates, do not typically need to take action to receive the patches. Microsoft urges other people to download and install the fixes from its Web site.