By Susan Bradley
After a month with no security bulletins in March, it’s back to our normal evaluation process. This month, in addition to eight security bulletins available via Windows Update, we’ve got two nonsecurity patches, Windows 98 and Me re-releases — and, oh, did I happen to mention some newfound browser insecurities?
Of the eight bulletins, five are labeled "critical" and three merely "important." I recommend that you put a very high priority on the two patches that do not install via Windows Update. These are MS05-021, which affects Exchange 2000, particularly on the Small Business Server platform, and MS05-023, which prevents Word 2000, 2002, and 2003 from giving up your PC to an infected .doc file.
I’ll deal with these two urgent patches first, and then advise you of problems that have become known so far with Microsoft’s other April 12 patches.
Urgent: Exchange 2000 Server needs critical update
MS05-021 (894549): This patch for Exchange 2000 and 2003 servers probably worries me the most. Many people urgently need this patch, but there is no supported, free patch-management tool that deploys Exchange patches at this time. (Third-party, commercial patch-management tools do deploy this patch.)
This security update requires, if you’re updating Exchange 2000, that you first have Exchange 2000 Server Service Pack 3 as well as the Exchange 2000 Post-Service Pack 3 Rollup Patch (KB 870540).
What to do: If you have an Exchange 2000 server that accepts e-mail with merely an open port 25, ensure that you manually download and install MS05-021. For Exchange 2003, it’s much less of a concern.
Urgent: Word 2000 through 2003 open to hackers
MS05-023 (890169): This fix is probably the biggest concern for Word users, due to the lack of an easy, automatic patch. The buffer overrun that this patch corrects affects Word 2000, 2002 and 2003. If you’re running with administrative rights, someone sending you a document using this buffer-overrun exploit would be able to take control of your system.
What to do: I don’t recommend at this time that you block .doc email attachments. Instead, visit Office Update and then keep a close eye on this subject for possible issues in the future.
TCP/IP patch eliminates older workaround
MS05-019 (893066): There’s one bit of very good news with MS05-019. This download includes within it a TCP/IP workaround I’ve been installing on all of my XP SP2 machines. I call this the loopback patch. The fix was previously included in KB 884020, but it’s no longer necessary after you install MS05-019.
The patch also changes a value in some versions of the Windows Registry known as TCPWindowSize and adds a new value called MaxIcmpHostRoutes.
What to do: You should read KB articles 896350 and 890345 before installing this patch. The first article explains the Registry changes, which can affect some companies. The second article describes ways to work around performance issues that’ll be felt by those running Windows 2000 with Service Pack 3 after installing the patch.
IE patch removes previous hotfixes
MS05-020 (890923): This is another set of critical, cumulative updates for Internet Explorer 5 and 6. The flaws fixed by this bulletin have already had sample exploits posted to listserves.
What to do: These cumulative updates, while important to install, may remove specialized hotfixes you received for Internet Explorer after MS04-004 (which was released in Feb. 2004) but before MS04-038 (Oct. 2004). Before installing MS05-020, review the information in KB 890923 and 897225 for more details.
Patch is missing in Add/Remove order
MS05-016 (893086): Microsoft is closing a flaw in all versions of Windows (even XP SP2) that runs executable HTA files (HTML applications) even if a file has been renamed to some innocent-looking extension that normally isn’t executable, such as .G1F (where a numeric "1" instead of the letter "I" is used).
If you have some good reason not to install MS05-016, you can defeat the attack by temporarily disabling HTA files in the Registry. Instructions for this are provided by iDefense, a security research firm.
This patch bears no “installed on” date in the Add/Remove Software control panel. That means it won’t show up in the correct order of installation in that dialog box. Instead, it’ll show up at the beginning of the Windows XP – Software Updates list. See KB 893086.
Icon patch re-released for Win9x and Me
MS05-002 (KB 891711): Last month, while not being a "new bulletin" month for the NT family of operating system, Microsoft did provide some patches for the 9x family. MS 05-002 was finally re-released to provide fixes for these platforms. As was reported earlier, we saw reports with video drivers that have ended up with blue screens. This patch was re-released on Tuesday and should be installed (or reinstalled) on all Windows 98/ME machines.
PNG fix re-released for Messenger on XP SP1
MS05-009 (KB 890261): Also re-released was MS05-009, a patch that fixes a security hole when loading a PNG image file, which is now updated for those running Windows Messenger 188.8.131.529 on Windows XP SP1.
Giant images crash IE and Firefox
We just can’t have a month go by without comparing Web browsers. This newsletter is no exception, but this time we’re not comparing Firefox to Internet Explorer. Instead, a interesting post to a security listserve points out that there’s another browser out there named Opera. This browser has some detractors, because you must pay to get a no-ad version, but it’s specifically being lauded as being unaffected by an image-rendering denial-of-service attack.
The flaw allows a hacker Web site to crash both IE and Firefox by displaying an image with huge height and width attributes. There’s no workaround for Internet Explorer. But you can prevent the problem from affecting Firefox by installing an extension named Grease Monkey. In the words of Andrew, the poster, you then use the extension program to write a DHTML user script and set a height and width limit for images to 5000 pixels.
What to do: Because Firefox will probably release a fix for this soon, I haven’t tried to write such a script. If you’re familiar with DHTML, you could use Grease Monkey’s authoring guidelines to develop a way to limit image sizes. If you do so, let me know via the newsletter’s contact page.
In the meantime, this isn’t a bug that allows a hacker to take over a PC. It merely crashes the browser. So I’ll simply say (in the immortal words of Sgt. Phil Esteraus from Hill Street Blues), just be careful out there, will you?
New blog and RSS security alert service
Last but not least, on Apr. 12 the Microsoft Security Resource Center moved its blog to its new location on the TechNet Blog property and announced a new security alert service that expands its RSS feeds to Instant Messenger Alerts as well.
As a final note, I cannot stress enough how important it is to call into Microsoft Product Support Services if you find issues with any patch or service pack. This is how these issues get corrected. In the United States, call 866-PCSafety (866-727-2338). Non-U.S. readers can call the local MS subsidiary using the number found at support.microsoft.com/security.
Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.