Article

Microsoft fixes WSUS, releases Windows security updates

Bill Brenner
Microsoft stuck with its original patching plan and released two security updates Tuesday, addressing flaws remote and local attackers could exploit to compromise targeted Windows machines,

Requires Free Membership to View

including all supported versions of Windows 2000, Windows XP and Windows Server 2003.

But perhaps more significant than the updates themselves, Microsoft also fixed a glitch in Windows Server Update Services (WSUS) that had threatened chaos for IT shops, many of which rely on the tool to deploy the software giant's monthly patches.

Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys Inc., said IT administrators should move quickly on MS07-061, a critical update that fixes a remote code execution flaw in how the Windows shell handles specially crafted URIs that are passed to it.

If the Windows shell doesn't sufficiently validate these URIs, Microsoft said, it could enable an attacker to run malware on targeted machines. Microsoft said the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.

"This is a zero-day flaw attackers have already used to post malicious URLs on bulletin boards, in documents and in emails," Sarwate said. "Instead of the intended action, the machine gets infected and the attacker can take complete control of the system."

Eric Schultze, CTO of Shavlik Technologies LLC in Roseville, Minn., agreed, saying, "This is one of the more dangerous items we've seen in the last six months, and that's why IT administrators need to be quick with this one."

Microsoft also released MS07-062, an important update that fixes a spoofing flaw in Windows DNS servers attackers could exploit to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. The security update applies to all supported versions of Microsoft Windows 2000 Server and Windows Server 2003.

While it's only rated as important, Sarwate said IT administrators who manage DNS servers should treat it as if it were critical. "This is remotely exploitable and an attacker can target you anywhere in the world with this," he said. "It doesn't require a user to click on malicious links."

WSUS fixed
While this is one of the lightest patch release months Microsoft has had in some time, IT administrators will also be relieved to know the software giant has fixed a WSUS glitch that could have wreaked havoc with this week's patching efforts.

Sunday evening, Microsoft renamed a product category entry for its Forefront line of business security products to clarify the scope of future updates. Unfortunately, the company said, the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console.

IT administrators fretted about the glitch on various message boards, but were relieved early Tuesday when Microsoft fixed the problem.

No more MBSA 1.2 support
Schultze said this month's security update also marks the first time Microsoft is not supporting the MSSecure.XML file used by the Microsoft Baseline Security Analyzer (MBSA) version 1.2, which Windows administrators have relied on to scan for newly released patches.

Shavlik is using this month's Patch Tuesday to alert customers that it is offering a drop-in command-line replacement to MBSA 1.2, which will enable customers to continue scanning for security patches without requiring any changes to their existing scripts, Schultze said.