Microsoft Issues Flurry of Fixes on Busy Patch Day

Microsoft on Tuesday announced its latest round of patches, focusing almost exclusively on flaws in older operating systems, servers and applications that were largely covered by Microsoft XP Service Pack 2 (SP2). Nevertheless, this month’s “Patch Tuesday” was busy, with Microsoft releasing 10 security bulletins for various vulnerabilities, a majority of which could allow for remote code execution or result in a denial of service. Several of the bulletins include more than one patch, comprising 20-odd patches in all.

Microsoft released a “cumulative security update” for Internet Explorer (MS04-38) that plugs eight holes in the popular browser, as well as six other unique patches for vulnerabilities that the company rated as critical.

“This is a lot, and it’s always cumbersome when there are so many,” said Russ Cooper, a senior scientist at Herndon, Va.-based TruSecure Corp. and moderator of the NTBugtraq mailing list. “The hard part [for administrators] is deciding if there’s anything here important enough that needs to be out instantly.”

Cooper said he saw the most immediate threats in the SMTP vulnerability (MS04-35), which affects Microsoft Exchange servers and offers the potential for e-mail bugs. For the mass market, Cooper said the most important patch would again be for Internet Explorer, which addresses problems with spyware.

Oliver Friedrichs, a senior manager at Symantec’s Security Response division in Cupertino, Calif., noted the appearance of four content-parsing flaws similar to the JPEG (GDI+) vulnerability announced last month.

Read more here about the JPEG bug.

“These are probably the flaws the attackers are going to exploit first, because they can affect the largest number of users,” Friedrichs said. “They can spread through e-mail, Web pages and message boards and really get the most bang for their buck.”

The four content-parsing flaws have been found in how Windows processes compressed (zipped) folders, Excel files, the Program Group Converter and finally in the rendering of WMF (Windows Metafile) and EMF (Enhanced Metafile) image formats, which is similar to the JPEG exploit. All could give an attacker remote access to applications and, in some cases, to entire systems.

According to Microsoft, the Internet Explorer update (MS04-38) is the only update that pertains to Microsoft XP SP2. Customers running SP2 are otherwise unaffected by the vulnerabilities, the company said.

“Almost all of these vulnerabilities were either internally discovered or known to Microsoft for months and months,” TruSecure’s Cooper said. “They were fixed when SP2 was released, but we didn’t have fixes simultaneously released for the other versions that were vulnerable.”

But Microsoft said it has reissued one bulletin, MS04-028, affecting JPEG Parsing (GDI+) in Windows, Office, Graphics Application and Developer Applications subsystem in Microsoft Windows. This re-release only affects Office XP applications for customers running on Windows XP SP2.

Other patches announced Tuesday address vulnerabilities in SMTP, in NNTP (Network News Transfer Protocol), in NetDDE (Network Dynamic Data Exchange) services, as well as a vulnerability that could cause WebDAV to consume all available memory and CPU time on an affected server. Friedrichs said he expects these network vulnerabilities to remain largely ignored by attackers.

Though Microsoft continues to encourage customers to install SP2, patches can be downloaded individually here.

Editor’s Note: This story was updated to include more details on the patches.

Check out eWEEK.com’s Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.

Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page