Patch Tuesday--Thoughts, Part 2

Here are some more thoughts on the large Patch Tuesday. For my first analysis, read "How to Handle Microsoft's Abundance of Patches".

Two of the critical patches in Microsoft's August patch drop affect Internet Explorer.

First up is a new "cumulative" patch for IE. That means that if you've been putting off patching IE for a while, now would be a good time to get caught up because this patch includes all the previous patches in a single download.

There are separate cumulative updates for IE 6 and IE 7 on each of various Windows versions, including IE 7 on Vista. There are also updates for IE 5.01 and IE 6 on Windows 2000 Service Pack 4 (SP4), as well as IE 6 and 7 on Windows XP SP2.

That, of course, also means that the update fixes some newly discovered security flaws. Of the three new bugs fixed in the latest patch, one is in a very basic part of IE's support for HTML--the language of the Web--called cascading style sheets or CSS. The other two are in how IE handles special plug-ins called ActiveX controls.

To a certain extent, however, it doesn't matter what the various holes were originally intended to do. In my mind's eye, it's a bit like a huge long hallway with lots and lots of doors on either side. Some are unlocked but most are not. What a bad guy has to do is identify one that has been inadvertently left unlocked and enter your computer through it.

So, for example, one of the newly fixed holes lies in the fact that there are a couple of ActiveX controls that were never meant to run in IE. Unfortunately, it turns out that they can be run in IE anyway which gives an attacker a way in--a little like breaking a window at the back of the house to get in.

In order to make the job of finding unlocked doors (or windows) easier, both white hat (good) and black hat (bad) hackers these days often use tools called "fuzzers" which are automated programs that try all the doors they can find to identify which ones are unlocked or can at least be jimmied.

Many of these holes, once identified, can be exploited by sending too much information into one at once--creating what's called a "buffer overflow" condition. This effectively knocks IE off track and gives the attacker the opportunity to run a program of his or her own choice instead. That lets the attacker appear to be you to your PC with all kinds of negative consequences.

(Luckily, none of the bugs patched in this month's Patch Tuesday drop has seen any exploits or even proof-of-concept demos in the wild . . .at least not yet.)

If you don't already have automatic updates enabled in Windows, you can find more information and links to the IE cumulative update downloads at Microsoft's security bulletin.

A second patch fixes the way IE handles what's called Vector Markup Language or VML. This is a little-used language for rendering vector graphics--such as line art. Unlike bit-mapped graphics, vector graphics take up less memory and can also be modified by stretching or bending them. VML takes less memory because it doesn't have to replicate every single dot as in a bitmap--just to describe the lines that make up a vector image.

Here again, creating an overflow condition can enable an attack program to invade your PC and, once again, having that happen is a function of clicking on a malicious link or visiting a booby-trapped Web page. It's probably superfluous to repeat, but the old saw comes to mind: Be careful where you click.

For further information on this patch, click on over to Microsoft's security bulletin.

Comments

Post a comment Post a comment

0 / 1000 max characters