Wednesday, June 09, 2010

Microsoft forgets a patch on Patch Tuesday

Microsoft forgets a patch on Patch Tuesday

"Fix it" tool, but no patch for flaw in old version of Microsoft Office

By Jon Brodkin

You know what I love the most about Patch Tuesday? The patches. Your Microsoft software has vulnerabilities you didn’t even know about, and then – boom! – you download a patch and you’re totally safe. As long as you haven’t been hacked already.

But that's assuming Microsoft, you know, actually releases all the patches you need. Unfortunately, that's not always the case.

Today, Microsoft issued 10 security bulletins encompassing 34 vulnerabilities, a record-tying month. To be fair, Microsoft released patches for nearly every single vulnerability on nearly every single affected system. With one exception.

Check out the fine print on Microsoft Security Bulletin MS10-036, which includes several vulnerabilities affecting different versions of Office. For one vulnerability affecting Office XP Service Pack 3, an older version, there is no patch.

“The architecture to properly support the fixes to correct validation does not exist on Microsoft Office XP, making it infeasible to build the fixes for Microsoft Office XP products to eliminate the vulnerability,” Microsoft explains. “To do so would require rearchitecting a very significant amount of the Microsoft Office XP products, not just the affected components. The product of such a rearchitecture effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system.”

Jason Miller, data and security team manager at Shavlik Technologies, criticized Microsoft for not offering a patch. Granted, this is an old version of Office, but Miller says "If you say you support a product, even if it’s hard or not feasible, you have to find a way.”

This particular vulnerability opens users up to remote code executions, making it a serious flaw indeed. To Microsoft’s credit, Miller points out, the company did offer what it calls a “fix it solution” for users of Office XP Service Pack 3.

“Although this is not a code fix in the Office products themselves, the Microsoft Fix it solution provides similar protections against the vulnerability described in this bulletin,” Microsoft said. “Although the risk to application compatibility is minimized, Microsoft recommends that users test this Microsoft Fix it solution before widely distributing it. For the download location and additional details, see Microsoft Knowledge Base Article 983235.”

The fix it tool should work, but requires manual effort on the part of an IT administrator, whereas “patching is a lot easier,” and can be taken care of by patch management software, Miller says.

Customers could, of course, upgrade to newer versions of Office, but some organizations still have users running on old versions of all kinds of software. Even users of Office 2003 and Office 2007 have to make sure they’re on the latest service packs to be able to apply the patches, Miller noted.

Microsoft detailed a similarly unpatched flaw in Windows 2000 Service Pack 4 and Windows XP last September. In that case, there was no fix it tool, either. That flaw increases the risk of denial-of-service attacks.

“The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability,” Microsoft said at the time, further advising that customers “use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.”

I'm sure customers would prefer a real patch for every vulnerability Microsoft finds. In the meantime, they'll have to make do with what they get.

No comments: