Planet SCM

Last week, Microsoft released an out-of-band patch for a vulnerability affecting the animated cursor, also known as ANI.

The vulnerability was identified by Determina back in December, who, in turn notified Microsoft. For some, like eWeek's Joe Wilcox,  the four month timeframe to get out the patch is unreasonably long.

Wilcox compares the ANI vulnerability to a Windows metafile bug that created problems back in late December 2005/early January 2006. "Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available." Both flaws also led to the release of several other fixes to the GDI. However, the patch for the WMF vulnerability was available in weeks, not days.

Microsoft provided there own explanation of the process involved in releasing the patch. Based on some initial feedback from SANS, the extra testing may pay off in ensuring the patch is effective and doesn't cause too many headaches. Larry Seltzer, another eWeek columnist, was one of many supporting Microsoft's decision to release the patch ahead of tomorrow's regular cycle, although he questioned the additional GDI patches being released with it. "By including it with this many other fixes they make it harder to test. Perhaps they should have left the rest of the update for next week," Seltzer said.

Mike Rothman, in one of his Daily Incite posts last week, didn't necessarily feel Microsoft handled the ANI vulnerability as well as they could, but found several signs of improvement in how Microsoft is handling issues in general. Like Mike, I found Rob Graham from Errata's explanation to be one of the more reasoned perspectives on the ANI vulnerability.

What did you think of Microsoft's effort? How do you think they could improve?

As expected, one of the two patches that Microsoft released yesterday fixes the recent publicly disclosed vulnerability in how IE handles JavaScript “Window()” function calls.  On November 21^st an exploit was released targeting this flaw. 

The cumulative patch for IE, MS05-054, also includes previous fixes for the web browser.  The patch fixes a hole in IE’s COM (Component Object Model) that could allow remote code to run on some versions of IE, and fixes for moderately serious vulnerabilities in IE’s File Download Dialog box and HTTPS proxy.

It is highly suggested that you apply this patch as soon as possible as attacks have been reported on this flaw.

The other security bulletin, MS05-055, is rated as important and fixes a hole in the Windows core processing kernel on Windows 2000 machines running SP4.  This vulnerability could allow a user with few security privileges to take control of the Windows 2000 machine once successfully logged in.

It’s believed that one of the two planned Microsoft security bulletins for tomorrow will be rated as critical.  The critical patch is expected to fix an Internet Explorer flaw that is currently the target of multiple malicious exploits.  Microsoft had originally discussed issuing an out-of-cycle patch to thwart the IE attacks, but rigorous quality assurance testing delayed the release until the normal release date.

If you haven’t yet implemented an automated patch management solution, you should really start to think about it.  The time saving alone on your first deployment of Microsoft security updates will provide you with an almost total ROI.  This is valuable time you could spend on other projects.

If you have any stories about your patch management experiences, please feel free to share them here.