Microsoft released four security alerts today, as it typically does on the second Tuesday of each month. The ratings: Two Critical and two Important. Microsoft combined three of the alerts into one, but they are technically separate issues.
The two “Critical” issues (info is here and here) would allow hackers to remotely execute code on a Windows PC, either through Windows or Internet Explorer. All currently supported versions of Windows, including XP and 2003 Server are vulnerable to the flaw.
The first critical flaw, involving Microsoft (Abstract Syntax Notation) ASN.1 library, is potentially nasty, because of its use and the potential for the hacker to gain access not only of a Windows computer but the connected network. Unlike the flaw precipitating last summer's Blaster attack, there is no workaround. Applying a patch–and immediately–is the best action to take.
The first “Important” alert, here, uses a different remote code execution exploit for the same Windows versions.
The other “Important” alert, here, affects Virtual PC for the Mac 6.0, 6.01, 6.02 and 6.1. The exploit could give a hacker elevated system privileges and so access to the compromised computer.
Tomorrow at 1 p.m. ET, Microsoft will hold a Webcast to discuss today’s alerts; info is here. A separate, monthly security Webcast is scheduled for next Tuesday at 11:30 a.m. ET; info is here.
Today’s alerts follow an unscheduled critical update released on Groundhog Day that addressed longstanding issues with Internet Explorer. A security firm made those issues public over the U.S. Thanksgiving holiday in late November. Considering Microsoft regarded the exploits serious enough to issue and off-cycle critical alert, the 10-week lag time between public announcement and fix is surprising. Microsoft’s own data shows that the amount of time between security flaw disclosure and exploit has dropped from more than 365 days a few years ago to just a few weeks today.
Microsoft wants people uncovering flaws to contact the company first, so that a fix could be developed before the problem is revealed publicly. But, I don’t think such responsible action is realistic. There may be smaller security firms looking to build their businesses; security flaws are big press. Also, taking the hackers are criminals viewpoint, there isn’t much benefit to their holding onto information that they can exploit.
Besides the fixes, available here, Microsoft also nixed an obscure Internet Explorer feature that would display user name information as part of the Web address. The feature could be exploited by hackers to spoof Websites, meaning to take the user somewhere other than where he or she intended. If exploited correctly, compromised users could be coerced into giving away devastating amounts of personal information used in e-commerce transactions.
Not surprisingly, late last week, news stories focused on the feature change, which has prevented some users from gaining access to legitimate Websites. I view that the price of correcting a problem that really should not have existed in the first place. The Web address feature, while a handy shortcut for accessing sites requiring IDs and passwords, made little sense from a security perspective. The feature is an open door Microsoft should have closed and locked long ago. [Microsoft Monitor]