By Gregg Keizer
June 14, 2005
Microsoft on Tuesday rolled out 10 security bulletins that covered 12
vulnerabilities, and for the first time, offered up its monthly patch
batch using the revamped update services and tools for both
individuals and enterprises.
Three of the 12 vulnerabilities were marked as "Critical," Microsoft's
most urgent alert level in its four-step warning system. All three
affect OS components or flaws in Internet Explorer that have been
patched multiple times in the past.
Bulletins marked as MS05-025, 026, and 027, are the three with
Critical vulnerabilities, said Microsoft, and affect Internet
Explorer; the HTML help system in Windows 2000, XP, and Server 2003;
and the Server Message Block (SMB) protocol in Windows 2000, XP, and
"All three of these services have been patched in the past," said Mike
Murray, the director of research at vulnerability management vendor
nCircle. "In fact, one of the IE vulnerabilities, the XML redirection
vulnerability, is just a new variant of an older vulnerability."
Murray rejected the idea that the patch-repatch-patch-again process
proves that Microsoft has a quality control problem. Instead, he laid
the blame at the feet of smart vulnerability researchers and hackers.
"There are some clever people figuring out previous patches, and then
saying 'if I did X and Y, I could get around that patch,'" said
Microsoft security program manager Stephen Toulouse naturally agreed.
"It's more a matter of the focus that researchers bring to it [that
decides which vulnerabilities get found,] he said. "One of the things
that we do when we receive a report from a researcher is actually do
code reviews to see, for instance, how the affected code
interoperates. In these cases, the vulnerabilities were just different
enough [from prior vulnerabilities] that they weren't caught in those
earlier code reviews."
The vulnerability with the potential to wreak the most havoc, said
Murray and others, is MS05-027, the flaw in SMB, the protocol that
Windows uses to share files, printers, and serial ports, and to
communicate between computers. Similar to, but not a repeat of a
bulletin released in February, 027 has the potential for being
exploited by a worm on the order of, say, MSBlast, said Murray.
"If you read the bulletin, it doesn't say anything about
authentication," said Murray. "In other words, does an attacker need
to have a valid log-in username and password? If not, and it doesn't
require authentication, that means anyone can break into the box."
Toulouse of Microsoft confirmed that the SMB vulnerability didn't
require authentication, but stressed that the most likely result of an
attack would be a less-dangerous denial-of-service. "Even so, we
erring on the side of caution, and rating this as Critical because of
the theoretical potential."
nCircle's Murray took the word "theoretical" with a grain of salt. "If
there's a way to exploit a vulnerability, hackers will do it," he
"This is definitely serious. It's the only vulnerability of the bunch
that could be exploited by a large-scale network worm," Murray said.
But he also hedged his bets, perhaps because a similar call in
February was quickly proved wrong after additional analysis. "We'll
know more in the next six hours or so, as we examine the
Other analysts also tagged MS05-027 as the one to watch. Neel Mehta, a
team leader with Internet Security Systems' X-Force security research
group, named it as his number 1 threat "because of its scope and the
fact that user authentication's not required, nor user interaction."
Writing an exploit for the SMB bug won't be easy -- Mehta called it
"fairly challenging" -- but he said it wouldn't be long, perhaps
within the week, that an exploit appeared. "It's actually more
potentially dangerous than the February vulnerability in SMB," he
added. "We're going to be tracking this carefully."
Windows XP SP2 users who have left the by-default-enabled Windows
Firewall in place are protected to some extent, said several of the
researchers interviewed, since it automatically blocks the external
ports used by the SMB service. "But if someone has disabled the
firewall, or has turned file sharing on," Mehta explained, "they could
It was the other two Critical bulletins -- one that fixes flaws in how
IE processes PNG (Portable Network Graphics) image files, another in
Windows' HTML Help -- that got the attention of another researcher,
Alfred Huger, vice president of engineering for Symantec's security
"I think 025 and 026 are the ones I found the most alarming," said
Huger. "Both the PNG and HTML vulnerabilities are dangerous because
they can affect so many end targets. Essentially, anyone with IE
that's unpatched is at risk. And we've seen how fast phishers and
rogue Web sites are in picking up on graphics vulnerabilities." Like
Mehta, Huger expects to see vulnerabilities soon. "There will be
exploits within the week," he said, of the PNG bug.
The remaining seven bulletins, which detail and patch four
vulnerabilities marked as "Important" and four labeled "Moderate,"
cover a variety of Windows components or Microsoft applications,
ranging from Outlook Web Access on the aging Exchange Server 5.5 to
Microsoft Internet Security and Acceleration (ISA) Server 2000.
Patches can be downloaded using the new Microsoft Update service or
for enterprises, the just-released Windows Server Update Services.
Those services, said Microsoft's Toulouse, were "working just fine"
Tuesday in their debut.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.