This week, I focus on three important security hotfixes. If you haven’t checked the security postings at Microsoft's TechNet site recently, set aside some time to gather and install the updates I discuss today. If you need to update just a few systems, you can perform the update online at the Microsoft Personal Security Advisor site.
Microsoft released several security updates for Windows XP and Windows 2000 in November and December. The most important hotfix, and the one that affects the most users, is a combined security rollup that eliminates all known vulnerabilities in Internet Explorer (IE) 6.0 and 5.5. The next hotfix, which is important if you’re supporting Outlook Web Access (OWA) clients on Microsoft Exchange Server 5.5, closes an OWA service scripting vulnerability. The third hotfix is a rollup that eliminates a scripting vulnerability that exists in several versions of Windows Media Player (WMP). I frequently use WMP to listen to National Public Radio (NPR) while I’m writing, so this vulnerability struck close to home.
I installed the IE and WMP updates on a Win2K Server machine. Neither update uses the hotfix installer, and no command-line option exists that lets you disable the automatic reboot. As a result, you can’t install the hotfixes back-to-back, and you must reboot after each install. As a warning, after I updated IE, I had to manually close Explorer and Power Meter to let the system shut down.
I haven't installed the updates on any XP systems. If you have problems updating XP, post comments in response to this column so that others can benefit from your experiences. Happy holidays to everyone—see you again on January 8, 2002!
IE Rollup Hotfix
On December 13, Microsoft released Microsoft Security Bulletin MS01-58, a rollup hotfix for IE 6.0 and 5.5 Service Pack 2 (SP2). Security Bulletin MS01-58 includes code fixes for all previously published vulnerabilities and updates that close three newly discovered security problems:
- A malformed HTML header exploit in IE 6.0 that permits a hacker to create a Web page or an HTML file that automatically runs code of the attacker’s choice without first prompting the user.
- A variant of the "Frame Domain Verification" vulnerability in IE 6.0 and 5.5 that lets a malicious Web site operator open two browser windows, one on the Web site and one on the client, and to read, but not change, files on the client.
- A flaw in Web-page or HTML file downloads in IE 6.0 and 5.5 that lets a hacker fool a user into accepting unsafe file types from a trusted source.
This hotfix supercedes Security Bulletin MS01-55, which includes code fixes that correct security problems with cookies and dotless IP address spoofing. According to the bulletin, you can safely enable Active Scripting after you install this rollup. You can download the update at the Microsoft Web site. Be sure to select the download link for the version of IE that you need to update.
OWA Service Hotfix
Microsoft Security Bulletin MS01-57 documents a loophole that leverages an obscure flaw in the OWA service’s content- filtering code. Using a suitably malformed script, a malicious user can gain full control over a user’s Exchange mailbox, potentially sending, moving, or deleting messages and folders. This vulnerability exists only for users who read Exchange 5.5 mail in IE, not for those who read mail in any other browser or in an Outlook client. Further, an attacker can't exploit this vulnerability to perform actions to any other mailboxes, the Exchange server, or the user’s local machine.
To eliminate this vulnerability, you must install the hotfix on the system that hosts Microsoft IIS and runs the OWA service. In most cases, the IIS server is also the Exchange server, but if you run Exchange on one system and IIS with the OWA service on another server, you must install the update on the IIS/OWA server. The security bulletin notes that the minimum requirement for installing the hotfix is IE 5.0, and the preferred version is IE 5.5 SP2. Microsoft corrected the original hotfix’s IE file version problems in the rerelease of Security Bulletin MS01-57, which you can download from the Microsoft Web site.
WMP is riddled with security vulnerabilities, some of which date back to last year. If you've never updated WMP, you can close all known security vulnerabilities by installing the combined hotfix that Security Bulletin MS01-56 describes. The problem that prompted this update is an unchecked buffer, but this hotfix contains code fixes that eliminate multiple security issues documented in security bulletins MS00-90, MS01-029, and MS01-042.
WMP supports a streaming media format called Advanced Streaming Format (ASF). The code that processes ASF files contains an unchecked buffer that permits a specifically malformed script to perform any action on the local machine for which the user has permission. The unchecked buffer is a problem only in WMP 6.4, and poses a risk only if a user plays the malformed ASF file. This update also eliminates an opportunity for a malicious user to leverage the same vulnerability by sending a malformed script in an HTML email or including the script in a file on a Web site. Finally, the update contains fixes for several variants of the malformed script that Microsoft discovered during internal testing.
WMP 7.0 and 7.1 contain compatibility code that lets the most recent versions play files formatted for WMP 6.4. To ensure that you close the gaps in the compatibility code, Microsoft recommends that you install this combined hotfix on all systems that run WMP, regardless of the version. You can find the update for Win2K and Windows ME at the Microsoft Web site. You can update WMP for XP interactively at the Windows Update site. If you’re rolling out XP, you can clean up WMP and a host of other problems by installing the XP critical update Microsoft released on October 25.