Microsoft has come in for criticism for waiting over a year to provide a patch that corrects some underlying coding problems which may have led to thousands of systems being left vulnerable or compromised.
Qualys CTO Wolfgang Kandek said he could not understand why it had taken Microsoft 15 months to provide a fix for a vulnerability identified in a Microsoft Video ActiveX component. “It is a very simple patch for a vulnerability which is now being exploited in the wild,” he said. “Technically it is not that difficult, and the delay in providing a patch has put a significant part of the population at risk.”
Kandek said the industry believes many thousands of websites have been serving the exploit, and that it is very easy to become infected. “I think it is serious. It’s triggered by a browser simply visiting a site. There is no need to run an executable of any kind. The exploit is contained in a little graphics file. The only defense is not to visit an infected site, but some popular sites may well have now been compromised,” he told us.
Kandek noted, “Browsing websites that have exploit code embedded with Internet Explorer as the main attack vector will certainly fuel the discussion around the use of alternative browsers. Microsoft has quickly provided easy to use workarounds for both vulnerabilities via their Fixit program, but it is not clear why they have waited so long to provide a fix. Microsoft has industrialised the patch process across its multiple operating system platforms, but somehow this one must have been evaluated as low priority ”
There have been three zero-day advisories issued in the last six weeks about Microsoft security. These relate to the hole in Microsoft Video, to a problem identified in DirectShow and one in the OpenType Font Engine, and which apply to all versions of Windows, Vista and 2008 included.
The announcements have kept the security industry busy.
Eric Schultze, CTO at Shavlik Technologies said, “Two of Microsoft’s other releases this month apply to products that you don’t see patched very often – ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.”
Apparently, ISA Server can become vulnerable if it is specifically configured to use Radius one-time-passwords and to use Kerberos for authentication and to fallback to basic http authentication when asked. “It’s probably a very small number of systems in the world that are configured exactly this way,” Schultze noted.
The other vulnerability relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server, which could be subject to a privilege escalation attack.
