Microsoft on Tuesday released nine security bulletins that patched 14 separate vulnerabilities for Windows and Internet Explorer, including several that could easily end up being exploited in short order by attackers.
Of the three bulletins tagged "Critical," the highest rank in Microsoft's four-step scale, the one that looks the most serious to security experts is MS05-051, which covers four vulnerabilities, two of which may soon be exploited.
One of the two critical vulnerabilities in the bulletin is within the Microsoft Distributed Transaction Coordinator (MSDTC), code that's used to coordinate any sort of transaction on multiple servers, such as database queries. "It's a service used primarily in enterprises," said Neel Mehta, the team lead of Internet Security Systems' (ISS) X-Force research group. "You don't see it much on smaller-scale servers or desktops."
Like August's MS05-039 bulletin, which disclosed a hole in Windows' Plug and Play, the MSDTC bug can be particularly damaging for Windows 2000 users. On that OS, MSDTC is turned on by default, and can be exploited remotely.
"This could have a similar impact [to MS05-039]," said Mehta. "It remains to be seen whether it can be exploited as easily as that earlier vulnerability."
The Plug and Play vulnerability in August quickly led to the Zotob outbreak, and analysts on Tuesday feared the same thing might happen with the MSDTC bug.
"It's very similar to the Plug and Play vulnerability that led to Zotob. It's the same type of thing," said Marc Maiffret, the chief hacking officer at eEye Digital Security, the security company credited with the discovery of the MSDTC flaw. The second Critical vulnerability in MS05-051 is within COM+, the part of Windows that handles resource management chores like thread allocation and security. Here, too, Windows 2000 (and Windows XP SP1) are the most vulnerable; both can be attacked remotely.
"MS05-051 is the one to patch first," said Mike Murray, director of research at vulnerability management vendor nCircle. "The COM+ vulnerability is the most serious, I think, and MSDTC isn't far behind." Two other October bulletins, MS05-050 and MS05-052 are tagged as Critical, and should be patched as soon as possible, Microsoft said.
A bug in Windows' DirectShow, a component that streams media and is part of DirectX, is the basis for MS05-050. "This is dangerous because virtually everything is affected by it," said Mehta, "and it can be easily exploited." Windows 98, 98 SE, and Me; Windows 2000: Windows XP (SP1 and SP2); and Windows Server 2003 (including SP1) are all equally vulnerable, according to Microsoft.
"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system…then install programs; view, change, or delete data; or create new accounts with full user rights," read the bulletin.
MS05-052 is a cumulative patch for Internet Explorer, and is potentially dangerous, said both Mehta and Murray, because the bug's been known since mid-August and exploits are circulating.
"It's this month's IE vulnerability," said Murray. "When we find out there are, say, nine security bulletins scheduled, we know one will be for IE." Murray's not being cynical, only realistic. IE has been patched in six of the eight months in 2005 when patches were produced, missing only January and May (Microsoft skipped the patch cycle in February and September).
Four more bulletins, ranging from MS05-046 to MS05-049, were judged by Microsoft as rating "Important," and another two, MS05-044 and MS05-045, were labeled "Moderate."
For one security expert, however, it's not the number of bulletins or vulnerabilities, not even the risk some may pose, that's the real story. Murray of nCircle sees the slew of patches differently.
"I think the message for the month is that with Windows XP SP2 and Windows Server 2003, Microsoft has really done a decent job on securing the software," Murray said.
"Look at the bulletins. It's a recurring theme that with Windows XP SP2 and Windows Server 2003, an attacker needs certain types of access, particularly an authenticated account and/or local access. "I'm not usually one to heap praise on Microsoft, but the fact that you keep seeing this trend suggests that they've gotten better at making secure software."
Users can obtain October's patches via the in-background Automatic Update in Windows, from the Microsoft Update service, or through the company's main bulletin summary site.