One week after issuing the out-of-cycle ANI cursor flaw patch, Microsoft released five additional security updates to fix eight vulnerabilities as part of its monthly Patch Tuesday cycle. Redmond also corrected problems that last week's emergency patch caused customers.
Three of the security updates to the Windows operating system were rated critical. Hackers could use the vulnerabilities to install malicious code on a victim's PC. The fourth flaw addresses a vulnerability in Microsoft's Content Management Server software.
Davis Marcus, a security research and communications manager for McAfee Avert Labs, said the Microsoft Content Management Server vulnerability and the Windows Client/Server Runtime Subsystem (CSRSS) vulnerability are of particular concern.
"Both of these can result in remote code execution on affected systems," Marcus explained in a statement. "Combined with the popularity of browser or Web-based attack vectors, these vulnerabilities can be particularly dangerous. Consumers and enterprises should take these vulnerabilities very seriously and employ a risk-based management approach to make sure they are properly protected."
ANI Once Again?
The critical ANI cursor flaw patch, which fixed a problem in the way Windows handled animated cursor files, was added to April's Patch Tuesday mix.
According to Microsoft's security blog, last week's patch caused problems with some third-party applications, including TUGZip, a free file-archiving utility and CD-Tag, a program that turns CDs into digital audio files. But some security researchers believe the ANI issue is far from over.
"While Microsoft fixed the ANI vulnerability last week, a new Vista vulnerability has emerged and was addressed, leading experts to believe that this is the beginning of the weaknesses that we will see this year with Vista and that Microsoft's reuse of code from previous versions of Windows can weaken Microsoft's new Security Development Lifecycle," said Amol Sarwate, manager of the vulnerability research lab at Qualys.
Meanwhile, update MS07-021 addresses the CSRSS vulnerability, which could allow a hacker to take complete control of a system if a victim views a specially crafted Web site. The problem lies in the CSRSS process because of the way it handles error messages. Although this vulnerability is listed for Vista, nCircle points out that it also affects all previous Windows platforms.
The CSRSS vulnerability is another data point in the changing security landscape, according to Minoo Hamilton, a senior security researcher for nCircle, a network security firm with clients including Visa, Fujitsu, and U.S. Cellular.
"Vulnerability trends have shifted toward those that require human interaction in response to Microsoft's gradual tightening down on remote code execution," Hamilton noted. "Attacks that leverage social engineering techniques are difficult to defend against because the human element is always an unknown variable."
The impact of the CSRSS vulnerability on I.T. managers will be significant, according to nCircle, because the vulnerability affects everything and will therefore be harder to manage. However, Hamilton said, the most interesting thing about MS07-021 is that "we have a [common vulnerabilities and exposures alert] on Dec. 21, 2006 and a Microsoft Security Response Center blog posting on Dec. 22, 2006 on this same vulnerability well in advance of Vista's release in January 2007."