A day Microsoft intended for normally-scheduled security updates
turned into a fire-dousing exercise after last week's patch of an
exploit in its Windows Metafile (WMF) image processor.
While security experts are now minimizing the impact of a WMF
vulnerability (especially now that it's been patched since last
Thursday), Microsoft issued a similar warning as part of its monthly
security patches released today, only this time about Web fonts.
One of today's security bulletins, rated critical (MS06-002), is
similar to last Thursday's WMF warnings because the vulnerability
affects all users of Internet Explorer surfing the Web.
"This is much like WMF," said Johannes Ullrich, Chief Research
Officer for SAN. Ullrich recommends users install the patch without
The patch is similar to the WMF vulnerability that Microsoft
updated outside of its regular patching cycle last week. In the
latest patch, an embedded fonts threat requires a user be enticed to
visit a Web site, according to Alain Sergile, Technical Product
Manager of Internet Security Systems X Force research.
Athough embedded Web fonts present a vulnerability easier to
exploit, The other bulletin (MS06—002), addresses a vulnerability in
Microsoft Office and Microsoft Exchange with much wider possible
impact. This, too, was rated critical as part of Microsoft's monthly
security bulletin notices, otherwise known as Patch Tuesday.
The patch in this bulletin is because vulnerabilities in
Microsoft Office and Microsoft Exchange could, if exploited, allow
attackers to take control of a PC with or without user
participation, according to Microsoft.
The security concern centers on Microsoft’s use of proprietary
e-mail code. The vulnerability is made even more important since
Microsoft Exchange Server 5.0 Service Pack 2 and Microsoft Exchange
Server 5.5 Service Pack 4 are targeted, according to Ullrich.
Microsoft Exchange Server 2003 is not affected, according to
Microsoft initially planned today to release a patch for the WMF
vulnerabilities discovered in December. However, pressure from
companies and security experts prompted the patch to appear last
week. While the WMF bug yesterday was described as potentially
enabling malicious instructions, researchers scaled back their
concerns and alerts today.
"At this point, it is only a nuisance," Oliver Friedrichs, Senior
Manager for Symantec's Security Response, told internetnews.com.
Upon first learning of the report, Symantec recommended users
disable the Windows Picture and Fax Viewer, applications that are
launched when Internet Explorer processes Web site graphics. After
analyzing the WMF file format, Symantec followed that it thinks end
users need not worry.
While some feared the vulnerability might enable malicious
commands to be executed, the bugs cannot be exploited beyond causing
computers to crash, according to Friedrichs.
Avaya, which sells communications equipment, warned its customers
systems running on Windows 2000 were vulnerable to the WMF bug.
Microsoft offers security patches only for Windows 2000 SP4 or
"As it turns out, these crashes are not exploitable but are
instead Windows performance issues that could cause some WMF
applications to unexpectedly exit," wrote Lennart Wistrand,
Microsoft's security program manager in a blog entry at the
Microsoft Security Response Center.
Friedrichs agrees with Wistrand that the remaining WMF
vulnerabilities can be addressed through the usual patching process.
Although Microsoft points to the quick reaction in face of the
WMF threat as a sign of its improved stance on security, Ullrich
describes the response as "very disappointing."
"Microsoft took their time addressing a public exploit," said
Sergile. MS06-002 for Internet Explorer Web Fonts MS06-003 for
Exchange and Outlook MS06-002 for Internet Explorer Web Fonts
MS06-003 for Exchange and Outlook.