Microsoft has fixed a content spoofing vulnerability in ISA Server 2000 and Proxy Server 2.0. But the company's November security update doesn't address the Internet Explorer IFRAME flaw exploited by three new Mydoom variants since Monday.
"This month's issue doesn't appear to be something attackers are likely to exploit," said Thor Larholm, senior security researcher with Newport Beach, Calif.-based security firm PivX Solutions. "But I think Microsoft should have done more patching this month to fix the IFRAME problem. SP2 isn't affected by this vulnerability, which tells me Microsoft already has the means to fix this quickly. Hopefully, they'll fix this outside their monthly cycle."
This month's lone bulletin fixes a vulnerability an attacker could use to spoof trusted Internet content. "Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site," the bulletin said. "However, an attacker would first have to persuade a user to visit the attacker's site to attempt to exploit this vulnerability."
Microsoft described it as an "important" vulnerability and urged those who use the servers to install the update "at the earliest opportunity." At the same time, the company pointed out three mitigating factors:
- Attackers can't use the flaw to spoof an SSL certificate belonging to other domain names;
- An attacker would first have to persuade a user to view content that causes a reverse lookup to occur; and
- Systems that enable the default site and content rule permitting "all traffic" to "all destinations" are not affected by this vulnerability. However, the company said, the rule is generally disabled as a security best practice guideline and it doesn't recommend enabling it to block this problem.
This month's update is basically what Microsoft told customers to expect last week when it issued the first of what will be monthly early alerts, available to all customers three business days before each Patch Tuesday on the company's TechNet security site. It is also a much lighter update than what IT managers saw last month, when Microsoft issued 10 security bulletins -- seven of them critical -- to fix 22 vulnerabilities.
"This vulnerability doesn't look like a candidate for a massive exploit," said Craig Schmugar, virus research manager for Santa Clara, Calif.-based McAfee Inc.
It's unclear when Microsoft will issue a fix for the Internet Explorer IFRAME vulnerability. Several antivirus firms issued alerts Monday for two new Mydoom variants that exploit the flaw, which Danish security firm Secunia labeled "extremely critical." Schmugar said Tuesday that a third variant was in the wild.
Microsoft said last week it's investigating the security hole. "Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," a spokeswoman said last week.
"I wasn't expecting them to have a patch for the IFRAME vulnerability this quickly because of all the testing they have to do," Schmugar said. "I do wish they'd at least confirm the vulnerability or offer a workaround."
This article originally appeared on SearchSecurity.com.