The worst of the vulnerabilities could allow crackers to execute malicious code on your Windows boxes. Some could be incorporated into Blaster-style network worms. Microsoft and others have known about some of the holes for over seven months.
Microsoft has chosen this time to issue the 20 patches in four chunks that cannot be separated, rather than addressing each vulnerability separately. The firm said this is to increase the speed of download and ease of patching.
Together, the patches for Windows XP weigh in at a little over 3MB, lightweight compared to previous Microsoft updates, and not big enough to present a significant hurdle for users limited to 56Kbps dialup internet connections.
The bundling of patches is also good for saving face by keeping big numbers out of headlines. As ComputerWire went to press yesterday, both Reuters and Associated Press reports were suggesting that just three critical holes had been found.
Three of the patches are classified as Critical, the most severe class by Microsoft’s reckoning. One update, for example, patches eight remote code execution vulnerabilities, two denial of service vulnerabilities, and four privilege escalation vulnerabilities.
Microsoft advises everybody to apply the three Critical patches immediately. The fourth patch, fixing a hole in Microsoft’s Jet Database Engine, is classed as Important and users are advised to apply the patch as soon as practical.
Some security researchers have a problem with the way Microsoft issued this set of patches. The company waited in one instance a disturbing 216 days before publishing the fix, according to eEye Digital Security Inc.
Content from our partners
eEye found six of the twenty flaws. It informed Microsoft about four of them over one hundred days ago. One of the holes is in the Windows implementation of the RPC protocol, which was exploited by Blaster.
Another wormable hole is in the Windows Local Security Authority Subsystem Service (LSASS), an interface for managing local security, domain authentication, and Active Directory processes, according to Microsoft.
Microsoft has been sitting on the LSA and the RPC vulnerabilities, and eEye has been sitting on these vulnerabilities, for over 180 days, said Firas Raouf, COO of eEye. For 180 days our networks have been wide open to attack.
eEye has a policy of only releasing full details of vulnerabilities after the vendor has issued a patch, but the company thinks that 60 days is a reasonable time to give a vendor to create a patch, test it, and get it out the door.
The potential for a network worm that exploits one or more of these latest vulnerabilities underscores the need to patch quickly. While last August’s Blaster exploited month-old vulnerability knowledge, the recent Witty worm came out in 24 hours.
Some of these vulnerabilities have the potential for a quick turnaround, said Vincent Gulloto, VP of the McAfee AVERT research team at Network Associates Inc. He added that the virus writer would need specific knowledge of how to construct an exploit.
eEye’s Raouf said that 24 hours from disclosure to virus would be pretty aggressive, but that it could be possible for malware to be created in two or three days, if the hackers were determined enough.
This article is based on material originally published by ComputerWire
