After skipping its December security update even after the publication of several new vulnerabilities — some of which were used to perpetrate Internet crimes, such as identity theft and financial scams — Microsoft has released several security patches as part of its new monthly security initiative.
The patches primarily address issues in three of Microsoft’s enterprise software packages: Exchange Server 2003; Internet Security and Acceleration Server 2000; and Windows database operations.
However, an Internet Explorer vulnerability that lets attackers easily spoof Web sites and URLs — thereby tricking users into downloading code, disclosing personal information or otherwise compromising themselves and their machines — was not addressed.
Sunil James, iDefense director of vulnerability intelligence, told TechNewsWorld that omission of the Explorer fix is somewhat surprising, especially considering that the vulnerability was disclosed at the end of November and that Microsoft skipped its December security update.
“We expected January to be very, very heavy,” said James, who referred to Microsoft’s latest security release as light. “The only thinking I have now is that the February release is going to be tremendous.”
Internet Explorer Unpatched
While he did express some surprise that Microsoft did not address the Explorer issue, which recently has been the basis of many information-stealing scams, James said the company likely has good reason for its decision.
“One conclusion you could draw is that Microsoft is waiting to pull all of the patches together for a service pack for Internet Explorer,” he said, adding that the company might not have viewed the issue as a serious vulnerability or might have been overwhelmed by “an influx of things to deal with and test.”
Gartner research vice president Richard Stiennon said a fix for the Explorer hole typically would have been released by now, but he credited two things for its omission in the latest update: the extreme difficulty of patching Explorer without crippling it; and the fact that the exploit is not the type that could be turned into a mass-propagating worm, such as Slammer or Blaster.
Security Response Balance
In a statement to TechNewsWorld, Microsoft indicated it is still actively investigating the Internet Explorer vulnerability to determine the appropriate course of action, which might include a fix through its monthly patch-release process or an out-of-cycle patch released specifically for IE.
“Security response requires a balance between time and testing, but Microsoft will only release a patch — when warranted — that is well engineered and as thoroughly tested as possible, whether that is a day, week, month or longer,” the statement said.
“In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue,” the company added.
Site Spoofing on the Upswing
Despite their defenses of Microsoft and its new, monthly patching schedule, security experts acknowledged that the Explorer hole, which allows attackers and data thieves to alter the URL displayed in the browser’s address bar, illustrates a growing concern.
Site-spoofing tricks, also known as phishing, use official-looking Web sites to dupe users into downloading malicious code or providing personal or financial information. These schemes have affected several high-profile companies, including PayPal, Citibank, EarthLink and even Microsoft itself.
“It is becoming more serious,” Stiennon said. “Criminal activities online are becoming profitable now by successful organizations in Eastern Europe and elsewhere. They’re going to leverage their success, and we’re going to see more and more of this.”
James said the new attacks — which are increasing in number as criminals learn from and build upon one another’s success — represent a significant issue for the Internet community because the attackers have enhanced their sophistication.
“The typical steps — user education, watching the URL bar — they don’t qualify as much,” James said. “Now you need to look for site certification and the lockbox to be sure a site is secure.”
Microsoft Urges Patching
Microsoft did address several software security weaknesses with this month’s patch, including an ISA Server 2000 issue the company described as critical.
Microsoft said the server’s H.323 filter could enable a common attack known as a buffer overflow that would cede control of the system to an attacker. The H.323 filter is enabled by default on servers running ISA Server 2000 computers installed in integrated or firewall mode, Microsoft said in a bulletin.
The other two vulnerabilities patched in the January round include a flaw in Exchange Server 2003 — rated as a moderate threat — that causes random and unreliable access to e-mail boxes recently accessed through Outlook Web Access (OWA); and a Microsoft Data Access Components (MDAC) issue in Windows that could grant an attacker certain system privileges.
Microsoft urged system administrators and users to install the security updates immediately.
Monthly Patching Debate Continues
Analysts agreed that a unilateral verdict on Microsoft’s new monthly patching procedure — both cheered and jeered within the industry when it was introduced by the software giant last October — has not yet been reached.
James said that while the monthly schedule makes sense in contrast to the seemingly random release of numerous security patches in the past, Microsoft also left itself leeway by saying it will preempt the monthly schedule if necessary.
Gartner’s Stiennon said the price of the new patching schedule is not worth the advantage of knowing when a patch is due to be released.
“I don’t think it’s totally worth it because customers are still looking to be protected [in the time] between a vulnerability being disclosed and the availability of a patch,” he said. “Microsoft should focus more on making better code — they’re not going to control information [available to attackers and users].”