Microsoft seems to be developing a pattern, according to security experts. One month, the software company floods IT administrators with security bulletins, and the next, administrators find the well nearly dry on Patch Tuesday.
Admins weren't totally off the hook this month, however, following a heavy 10-bulletin release in June. Microsoft issued three security bulletins this month, and all three addressed critical vulnerabilities in commonly used client-side applications.
In a recent effort to help users navigate Microsoft patches, patch management software vendors BindView Corp., in Houston, and Roseville, Minn.-based Shavlik Technologies LLC have teamed up to create a webcast on BindView's Web site to critique patches .
Mark Loveless, senior security analyst with BindView's "Razor" security research team and Eric Schultze, chief security architect at Shavlik, hosted the initial patch webcast and discussed how admins should approach patching their systems this month.
Dangerous Word documents
Microsoft released critical patches for Microsoft Word, the Microsoft Color Management Module in Windows and the JView Profiler in Internet Explorer and Windows. Loveless and Schultze agreed that the vulnerabilities posed critical threats, but since they require end-user action, they are manageable as long as they are patched quickly, as exploit code has been circulating in the wild for some of them.
"The last few Word issues have been very similar [to MS05-035] -- opening a malicious Word document can lead to some kind of evil activity happening," Schultze said. "This is only exploited when you go to open [a] Word attachment via e-mail, Web or shared drive. If it's one of these malicious documents it will do a buffer overflow and attack your box." A user with administrative rights would be vulnerable to an exploit of this vulnerability.
"The workaround to this is to not open or save Microsoft Word files that you receive from unknown sources," Loveless said. "Ultimately, the workaround for the Microsoft Word vulnerability is to not use Microsoft Word." Microsoft Word 2000, 2002 and XP SP3, Office 2000 SP3 and Works Suite 2000 to 2004 are affected.
Color management flaw being actively exploited
The second bulletin, MS05-036, which fixes a vulnerability in the Microsoft Color Management Module, was rated critical to address promptly because it can be exploited if a user visits a Web site with an infected image, opening up machines to hacking.
"It is being actively exploited on the Internet, so it's important to get this one patched as soon as possible," Schultze said. Several versions of Windows are affected.
Java Virtual Machines can host problems
The third patch, MS05-037, affects systems that contain Java Virtual Machines running on Internet Explorer.
"Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object," Microsoft said in its bulletin.
"Basically, what it means is that the problem is specifically within the Java Virtual Machine," Loveless said. "It's not loaded by default in [Windows] XP or 2003, but odds are pretty good that you have it if you've loaded any number of potential applications that have this in it."
A security setting workaround
Setting Internet Explorer security to "high" or directing the browser to issue a prompt before running ActiveX controls can keep the vulnerability from being exploited, but the experts recommend patching to avoid risk.
"The user is going to get hit with this by simply visiting a malicious Web site or reading an HTML e-mail," Schultze said. "Even if you never use Java Virtual Machines, just having it on your system means you're vulnerable to this. … This debugger was never intended for use through Internet Explorer. It doesn't impair any functionality. Since it's being actively exploited, it's probably something that you should get patched on all of your machines."
Next month, experts think the company will again offer a large batch of bulletins.