A very ‘Patchy’ Patch-Tuesday

Most of us have become accustomed to Microsoft ‘Patch-Tuesday’. On the second Tuesday of the new month, Microsoft coordinate the release of security patches to fix security ‘holes’ they have been made aware of, and for which, they have found a solution to. Many people look at ‘Patch-Tuesday’ with a mixture of frustration and reassurance. Frustration borne from very public exposition of ‘not another list of security issues’ and then having to wait for their PCs to download and install the patches.  Reassurance comes in the form that solutions have been found and that the bad guys have been put back in their box. This month was a bit different.
 
When an exploit or vulnerability is discovered for the first time and hence no patch or solution is available for it, we describe this as a ‘zero-day’ vulnerability. On Monday, as Microsoft were preparing everyone for this month’s ‘Patch-Tuesday’, they had to warn that  attackers were exploiting a flaw in the Snapshot Viewer ActiveX control bundled with all versions of Access, Office’s database program, except the newest edition, Access 2007. As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated injection of malware into some of the pages on the site. In the past, we have seen government, commercial, and hobby sites fall victim to these attacks and subsequently begin serving exploits to each of their visitors. An attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-on user has.  Now, until a patch is created and deployed, we recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, should update their Norton antivirus/internet security definitions.

But things didn’t stop there, as we rolled into ‘Patch-Tuesday’, and therefore only hours after fixing nine vulnerabilities in several of its programs, Microsoft, confirmed that attackers are exploiting an unpatched bug in Word 2002. In lieu of a patch, the Microsoft advisory recommended that users turn to Word 2003 Viewer to open and view Word files. Microsoft said that a patch may be forthcoming, but did not specify a timetable.

All-in-all, a very messy ‘Patch-Tuesday’

July 10, 2008 | Filed Under Security 

comments

Leave a Reply