Redmond stuck to its schedule this month and released its security update on the expected date. After an embarrassment of riches in October,
when the software giant released nine security bulletins, Microsoft scaled back in November and released just one. However, the bulletin addresses several vulnerabilities, two of which are critical.Details
Microsoft's security department kept to its November schedule and
released one security bulletin for the regularly scheduled 8 November
deadline. Microsoft Security Bulletin MS05-053,
"Vulnerabilities in Graphics Rendering Engine Could Allow Code
Execution", addresses some new individual vulnerabilities as well as
replaces both MS03-045 and MS05-002 for Windows XP Service Pack1 only.
MS05-053 addresses the following vulnerabilities:
Graphics Rendering Engine vulnerability
This is a remote code execution threat caused by a buffer overrun in
the Windows Metafile and Enhanced Metafile image rendering engine (CAN-2005-2123).
As of 14 November, there have been no reports of exploits in the wild.
Researchers had disclosed none of these vulnerabilities publicly prior
to the release of the update.
Windows Metafile vulnerability
This is also a remote code execution threat caused by an unchecked buffer in the Windows Metafile image rendering engine (CAN-2005-2124).
As of 14 November, there have been no reports of exploits in the wild.
Researchers had disclosed none of these vulnerabilities publicly prior
to the release of the update.
Enhanced Metafile vulnerability
This is a denial of service threat with a maximum severity rating of moderate (CAN-2005-0803).
The culprit is an unchecked buffer in the Enhanced Metafile image
rendering engine. While proof of concept code has appeared on the
Internet, Microsoft reports that it hasn't received any notification of
actual attacks based on this vulnerability.
Microsoft Baseline Security Analyzer (MBSA) 1.2.1 and MBSA 2.0 will indicate if this update is necessary. In addition, Systems Management Server (SMS) will also detect whether the update is required and can help deploy this update.
Applicability
The threats generally affect Windows 2000 and later versions, including the 64-bit and Itanium editions.
The Graphics Rendering Engine vulnerability affects the following:
- Windows 2000 SP4
- All versions of Windows XP
- All versions of Windows Server 2003
The Windows Metafile vulnerability and the Enhanced Metafile vulnerability affect the following:
- Windows 2000 SP4
- Windows XP SP1 (but not Windows XP SP2)
- Windows Server 2003 (but not Windows Server 2003 SP1)
Risk level
Microsoft rates the Graphics Rendering Engine vulnerability as critical
for all affected platforms. The Windows Metafile vulnerability is a
critical threat for Windows 2000 SP4, Windows XP SP1 and Windows Server
2003; however, it is not a threat for Windows XP SP2 and Windows Server
2003 SP1.
The Enhanced Metafile vulnerability is only a moderate threat for Windows 2000 SP4, Windows XP SP1, and Windows Server 2003. This vulnerability poses no threat to Windows XP SP2 or Windows Server 2003 SP1. The severity ratings are the same for comparable 64-bit and Itanium-based versions.
Mitigating factors
Again, fully updated Windows XP and Windows Server 2003 operating
systems are not vulnerable to two of the three threats included in this
security bulletin. In addition, best practices — such as not randomly
visiting strange Web sites and using email only in text mode — can
eliminate the threat from the critical Graphics Rendering Engine
vulnerability. However, these best practices don't protect you from an
embedded image in an Office document, but you can mitigate that threat
by not opening documents from untrusted sources.
Fix
Install the update. According to Microsoft, fix the message length
verification so it isn't as likely to cause other problems as more
major patches sometimes do.
As a workaround for the most serious threat, the Graphics Rendering engine vulnerability, avoid untrusted Web sites that may contain malicious graphics files and open all emails in text mode.
Final word
There's certain to be the usual flurry of complaints about Microsoft
concerning this security bulletin, but it's only fair to point out that
anyone following best practices — and enforcing those practices among
the users they support — would probably have little exposure to these
threats. It's a bit like having your identity stolen because you fell
for a phishing scheme — you mostly have yourself to blame even though
it makes you feel better to blame the vendor.
Although this patch is less likely to have unintended consequences than some of the major patches, keep in mind that any alteration to your system software has the potential to cause a problem with some poorly written application. Therefore, whenever possible, fully test any patch before installing it on a mission-critical system.
Talkback
Mostly have yourself to blame?
That's a double edged sword.
Do you mean, 1, by buying products known to be insecure year round you should have known better, or, 2, by not staying up-to-date with the latest patches you're simply asking for it? Knowing that patching is some 'geek thing' that's standing in the way of doing business as those who don't have a real clue think is the sensible thing to do inspired as they are by means of sales talk and sponsored commercials as the one and only truth they think is reality.
Or put in another way. You're driving this cool and hot brand new car you bought at 80 mph and suddenly the steering wheel locks, the engine shuts down (no breaks to speak of) and your safety belt snaps in half while you see a 10-tonner in front of you getting closer awfully fast.
Who's to blame while someone is picking up the pieces left of you after the crash?
The answer is: not your problem anymore. So basicly it's someone elses problem so who gives?
Can you take a hint? Because basicly, judging from experience, share holders can't. So far.