View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 13, 2004

Twenty holes plugged on Microsoft patch day

Microsoft Corp yesterday issued patches for 20 security vulnerabilities, many of them critical, which have been found in every version of its ubiquitous operating system and a popular bundled office application.

By CBR Staff Writer

The worst of the vulnerabilities could allow crackers to execute malicious code on your Windows boxes. Some could be incorporated into Blaster-style network worms. Microsoft and others have known about some of the holes for over seven months.

Microsoft has chosen this time to issue the 20 patches in four chunks that cannot be separated, rather than addressing each vulnerability separately. The firm said this is to increase the speed of download and ease of patching.

Together, the patches for Windows XP weigh in at a little over 3MB, lightweight compared to previous Microsoft updates, and not big enough to present a significant hurdle for users limited to 56Kbps dialup internet connections.

The bundling of patches is also good for saving face by keeping big numbers out of headlines. As ComputerWire went to press yesterday, both Reuters and Associated Press reports were suggesting that just three critical holes had been found.

Three of the patches are classified as Critical, the most severe class by Microsoft’s reckoning. One update, for example, patches eight remote code execution vulnerabilities, two denial of service vulnerabilities, and four privilege escalation vulnerabilities.

Microsoft advises everybody to apply the three Critical patches immediately. The fourth patch, fixing a hole in Microsoft’s Jet Database Engine, is classed as Important and users are advised to apply the patch as soon as practical.

Some security researchers have a problem with the way Microsoft issued this set of patches. The company waited in one instance a disturbing 216 days before publishing the fix, according to eEye Digital Security Inc.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

eEye found six of the twenty flaws. It informed Microsoft about four of them over one hundred days ago. One of the holes is in the Windows implementation of the RPC protocol, which was exploited by Blaster.

Another wormable hole is in the Windows Local Security Authority Subsystem Service (LSASS), an interface for managing local security, domain authentication, and Active Directory processes, according to Microsoft.

Microsoft has been sitting on the LSA and the RPC vulnerabilities, and eEye has been sitting on these vulnerabilities, for over 180 days, said Firas Raouf, COO of eEye. For 180 days our networks have been wide open to attack.

eEye has a policy of only releasing full details of vulnerabilities after the vendor has issued a patch, but the company thinks that 60 days is a reasonable time to give a vendor to create a patch, test it, and get it out the door.

The potential for a network worm that exploits one or more of these latest vulnerabilities underscores the need to patch quickly. While last August’s Blaster exploited month-old vulnerability knowledge, the recent Witty worm came out in 24 hours.

Some of these vulnerabilities have the potential for a quick turnaround, said Vincent Gulloto, VP of the McAfee AVERT research team at Network Associates Inc. He added that the virus writer would need specific knowledge of how to construct an exploit.

eEye’s Raouf said that 24 hours from disclosure to virus would be pretty aggressive, but that it could be possible for malware to be created in two or three days, if the hackers were determined enough.

This article is based on material originally published by ComputerWire

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.